Microsoft Fans Flamer With Bogus Cert
Page 1 of 1
A week ago, the Flamer virus was revealed, but there were precious few details on how it may have infected victims. Now thanks to a Sunday disclosure from Microsoft, we know at least one potential vector.
An unauthorized digital certificate signed by Microsoft may well have enabled Flamer code to be installed on end user PCs. Microsoft's investigation revealed that part of Flame malware had been signed with digital certificates that were chained all the way up to the Microsoft Root Authority
With the bogus certificate, Flamer malware would look like legitimate software signed by Microsoft. The bogus certificate signing was made possible by way of a flaw in Microsoft's Terminal Services licensing certification authority, which has now been patched and updated.
"We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft," Mike Reavey, Senior Director, MSRC Microsoft Trustworthy Computing wrote in a blog post. "Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft."
Microsoft Security Advisory 2718704 revokes the trust of a pair of Microsoft Certificate Authorities to help mitigate and remove the risk. Additionally Microsoft is no longer enabling anyone to sign certificates via the Terminal Services activation and licensing system. The advisory affects Windows XP, Vista, 7 and even the new Windows 8 Preview release.
As to why the vulnerability was possible in the first place, Jonathan Ness of Microsoft Security Response Center Engineering explained in a blog post that the Terminal Services licensing certification authority should only have been able to be used for license server verification. What Microsoft's investigation found was that the Terminal Services could also be tricked into providing a bona fide Microsoft digital signature for code as well. The system could also have bypassed Microsoft's own code signing infrastructure.