Friday, June 8, 2012

Emergency Patch to fix security hole in Microsoft Windows Update

This one looks like it is under control now, but if you don't have Windows Update turned on and haven't updated recently, stop reading and update NOW!  Someone very clever figured out how to distribute software that looks like it is digitally signed by Microsoft, so it would be inherently trusted by your computer and installed without asking you for permission.  Since Windows Updates for June will come out on Tuesday next week, you should get this done before then!

The first and last articles linked below are the most readable.

‘Flame’ Malware Prompts Microsoft Patch — Krebs on Security
Microsoft has issued an emergency security update to block an avenue of attack first seen in “Flame,” a newly-discovered, sophisticated malware strain that experts believe was designed to steal data specifically from computers in Iran and the Middle East.

According to Microsoft, Flame tries to blend in with legitimate Microsoft applications by cloaking itself with an older cryptography algorithm that Microsoft used to digitally sign programs.

“Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft,” the company said in a blog posting today.

Unauthorized digital certificates could allow spoofing
Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the following Microsoft website:
ISC Diary | Microsoft Emergency Bulletin: Unauthorized Certificate used in "Flame"
Published: 2012-06-04,
Last Updated: 2012-06-05 10:29:19 UTC
by Johannes Ullrich (Version: 4)

Microsoft just released an emergency bulletin, and an associated patch, notifying users of Windows that a "unauthorized digital certificates derived from a Microsoft Certificate Authority" was used to sign components of the "Flame" malware.
It is not clear from the bulletin, who had access to these intermediate certificates, and if they were abused by an authorized user, or if they were compromised and used by an unauthorized user. Either way: Apply the patch.

The bulletin also doesn't state if this intermediate certificate authority or certificates derived from it could be used to fake the patch. Microsoft Certificates are used to sign patches, and a compromise could lead to a sever break in the trust chain. The use of a "real" Microsoft certificate is surely going to increase the speculations as to the origin of Flame.

US-CERT: Unauthorized Microsoft Digital Certificates
added Monday, June 4, 2012 at 09:16 am | updated Tuesday, June 5, 2012 at 12:20 pm

Microsoft has released a security advisory to address the revocation of a number of unauthorized digital certificates. Maintaining these certificates within your certificate store may allow an attacker to spoof content, perform a phishing attack, or perform a man-in-the-middle attack.
Microsoft has provided an update to all support versions of Microsoft Windows to address this issue. Additional information can be found in Microsoft Security Advisory 2718704.

US-CERT encourages users and administrators to apply any necessary updates to help mitigate the risk.

Update: For more information, please see US-CERT Technical Alert TA12-156A.
Flame malware used man-in-the-middle attack against Windows Update | Naked Security
by Chester Wisniewski on June 4, 2012Microsoft has released an emergency update for all versions of Windows to address a certificate flaw that was used to spread the Flame malware from machine to machine.

Of course you have to trust that your connection to Windows Update is not being attacked while you're retrieving the update that prevents you from being attacked.

This is not the first time we have seen malware abusing digital certificates, but this one is a bit more advanced than previous attacks.

No comments: