June 5, 2012

Windows Gets Flamed

Michael Harper for RedOrbit.com

Microsoft surprisingly released an emergency security patch for Windows on Sunday after it discovered one of its digital signatures was being used to certify the Flame malware in the Middle East.

To gain access to this certificate, the hackers responsible took advantage of a weakness in Terminal Server, a remote service many enterprises use to access their clients computers. These hackers then found an algorithm used to issue licenses for this service, and then created rogue intermediate authorities which were then able to authenticate the malware, causing the computers to trust it entirely.

“We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,” writes Mike Reavey, Microsoft´s Security Response Center Senior Director in a Sunday evening blog post.

“We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.”

This isn´t the first time the Flame malware has popped up in the news in recent weeks, however. Called the “most sophisticated” cyber weapon ever used, the malware has been found to actively target sensitive information in the Middle East.

“Flame can easily be described as one of the most complex threats ever discovered. It´s big and incredibly sophisticated,” wrote Alexander Gostev, Kaspersky Lab´s head of global research and analysis, according to a blog post.

“It pretty much redefines the notion of cyberwar and cyberespionage.”

In fact, the Flame malware is so sophisticated and so extensive in what it can do, some lead researchers from Kaspersky Lab, Symantec and others suspect it may be funded by a wealthy nation.

For example, it was announced last Friday that both the Bush and Obama administrations had been responsible for the creation and deployment of Stuxnet, the software used to sabotage the Iranian nuclear program.

Microsoft´s emergency update also adds this new rogue certificate to its blacklist of the other certificate authorities tied to its root authority. Without this new security patch, any Windows user is vulnerable to attacks from the Flame malware.

In addition to the security patches, Microsoft engineers have also stopped issuing any certificate used for signing a Terminal Services activation. The very fact that such a weakness exists is startling for any Windows user, and though the Sunday evening blog post admitted the malware vulnerability, it did not offer any explanation as to what had happened to allow it to infect computers with a fake authentication.

“This is a pretty big goof,” said Marsh Ray, a software developer for two-factor authentication company PhoneFactor, to Ars Technica.

For their part, Microsoft´s blog suggests registering for their comprehensive security alerts, as well as staying tuned to their websites for more information as it develops.