http://arstechnica.com/security/2012/06/flame-malware-was-signed-by-rogue-microsoft-certificate/ By Dan Goodin ars technica June 4 2012 Microsoft released an emergency Windows update on Sunday after revealing that one of its trusted digital signatures was being abused to certify the validity of the Flame malware that has infected computers in Iran and other Middle Eastern Countries. The compromise exploited weaknesses in Terminal Server, a service many enterprises use to provide remote access to end-user computers. By targeting an undisclosed encryption algorithm Microsoft used to issue licenses for the service, attackers were able to create rogue intermediate certificate authorities that contained the imprimatur of Microsoft's own root authority certificate—an extremely sensitive cryptographic seal. Rogue intermediate certificate authorities that contained the stamp were then able to trick administrators and end users into trusting various Flame components by falsely certifying they were produced by Microsoft. "We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft," Microsoft Security Response Center Senior Director Mike Reavey wrote in a blog post published Sunday night. "We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft." The exploit, which abused a series of intermediate authorities that were ultimately signed by Microsoft's root authority, is the latest coup for Flame, a highly sophisticated piece of espionage malware that came to light last Monday. Flame's 20-megabyte size, it's extensive menu of sophisticated spying capabilities, and its focus on computers in Iran have led researchers from Kaspersky Lab, Symantec, and other security firms to conclude it was sponsored by a wealthy nation-state. Microsoft's disclosure follows Friday's revelation that the George W. Bush and Obama administrations developed and deployed Stuxnet, the highly advanced software used to set back the Iranian nuclear program by sabotaging uranium centrifuges at Iran's Natanz refining facility. [...] -- We're in a bit of a budget crunch, Help InfoSec News with a Donation http://www.infosecnews.org/donate.htmlReceived on Mon Jun 04 2012 - 01:55:51 PDT
This archive was generated by hypermail 2.2.0 : Mon Jun 04 2012 - 01:48:20 PDT