Microsoft Attempts To Douse Flame Malware
June 15, 2012

Microsoft Attempts To Douse Flame Malware

John Neumann for

The malware, called Flame, a highly complex malicious tool that has actively targeted computers in the Middle East, was forced to self-terminate almost completely without a trace, and was in fact discovered only after UN´s telecoms arm reached out to security firms to get help with identifying a virus stealing data from many Middle Eastern computers last month.

The Flame malware, which was recently discovered infecting computers in Iran and other Middle Eastern countries, was able to spread from one computer to another inside targeted networks by setting up a fake Windows Update server, writes Alex Sotirov for ArsTechnica.

For the attack to work, the fake update had to be digitally signed by a source that ultimately led back to Microsoft´s root authority key.

In response, Microsoft Wednesday released an automatic updater--available for Windows Vista, Windows 7, as well as Windows Server 2008 and 2008 R2--that keeps tabs on a list of known-bad digital certificates, including the one exploited by Flame, reports Mathew J. Schwartz for InformationWeek.

“This updater expands on the existing automatic root update mechanism technology that is found in Windows Vista and in Windows 7 to let certificates that are compromised or are untrusted in some way be specifically flagged as untrusted,” according to Microsoft´s related update notes.

“The goal of the new updater is to allow for updates to the untrusted certificate store in one day--or less--after a new bad certificate is known,” said SANS Institute chief research officer Johannes B. Ullrich in a blog post. “A [bit] sad that we need this, but it does appear to be necessary to have a method to continuously update a bad certificate [list],” not least to stop malware of the Flame variety.

Revoking bad digital certificates is a tricky business. One approach has been to use a certificate revocation list (CRL), which includes the serial numbers of all certificates that have been revoked and should no longer be trusted. Meanwhile, Microsoft had also relied on the Online Certificate Status Protocol (OCSP), which is an Internet protocol used to set the revocation status of an X.509 digital certificate.

Jeff Hudson, CEO of Venafi, inventor and market leader of Enterprise Key and Certificate Management (EKCM) solutions, tells Richard Stiennon of Forbes that they have inspected the types of certificates deployed in Global 2000 organizations. Of the 450 companies they have scanned 17 percent of all certificates are based on MD5.

Flame has paved the way for future attacks against organizations that still rely on a technology that was proven vulnerable in 2008. I expect to see this type of attack within a year.

Hudson explained, “I often wonder why something so fundamental as knowing which certificates are active on the network, understanding their attributes, and managing the keys associated with the certificates is not a top priority.”

“Especially when managing these instruments radically reduces the vulnerability. This isn´t hypothetical, the compromise and threat has happened time and again.”

Microsoft recently revamped its key management process to prevent similar attacks from working in the future. But it has yet to say why it employed such a vulnerable system in the first place, or why it continued to rely on MD5 for so long.