14 DAY TRIAL // Microsoft has released a second security advisory to detail the way Flame, the now-infamous piece of malware, has managed to sign its code to make it look like it comes from Microsoft.
According to Mike Reavey, senior director at MSRC, Flame utilized a cryptographic collision attack, along with the terminal server licensing service certificates in order to achieve its goal.
However, the collision is not a necessity since code signing can be achieved through other means.
“This is an avenue for compromise that may be used by additional attackers on customers not originally the focus of the Flame malware. In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack,” Reavey said.
Microsoft advises customers to install the updates as soon as possible to mitigate the threats posed by the Flame.
By removing the unauthorized certificates, the Redmond company made sure that potential “copycat” attacks would be avoided, but the updates are the ones that prevent them from being used against systems that run Windows.
Jeff Hudson, the CEO of Venafi, a certificate management company, has been vocal about the subject of Stuxnet and, more recently, Flame. He provided some interesting insight on how cybercriminals leverage rogue certificates to spread their pieces of malware.
“Certificates exactly like the ones compromised as part of the Flame malware, are used everywhere in organizations worldwide today and are vulnerable to the exact same compromise,” the expert told Softpedia.
“If organizations do not have an automated management system in place, the likelihood of a catastrophic event is very high. Also, when the event occurs, recovery and remediation will take a very long time. Just like you need to manage and keep software up to date, you need to do the same thing with certificates.”