Microsoft revokes certificates used in Flame malware

Juha Saarinen | Jun 5, 2012 2:41 AM
Windows 8 gets first security patch.

Microsoft has issued emergency updates for all versions of Windows to revoke three of its own certificates used to sign the recently discovered Flame malware.

The updates, which include release previews for Windows 8 and Windows Server 2012, sought to prevent future use of the certificates to "spoof content, perform phishing attacks, or perform man-in-the-middle attacks" on operating system updates.

The certificates were initially issued for users to authorise Remote Desktop services in their enterprises

According to a Microsoft security advisory, the creators of the Flame malware – discovered last week but thought to be in action for some time – exploited a bug in the Terminal Services licensing certificate authority allowing them to generate fake certificates which made the malware code appear trustworthy.

Microsoft security engineer Jonathan Ness said an older cryptography method used to sign and issue certificates for trusted software could be exploited for this use.

Ness said components of the Flame malware were signed with a certificate that ultimately linked up to the Microsoft Root Authority. Such a certificates would allow attackers to sign code and make it appear as if it's been produced by Microsoft rather than a third party.

The malware spread through removable media and exploited a since-patched Microsoft printer hole – the same tapped by Stuxnet.

It contained a backdoor and trojan and had worm-like features, allowing it to replicate in a local network and on removable media if it is commanded to do so.

F-Secure's chief research office Mikko Hypponen said in a blog post that access to bogus Microsoft certificates were the "holy grail of malware writers".

"This has now happened," he said.

Despite the exploit, Hypponen said the certificate flaw had not been used by its writers to conduct financial attacks. Instead, he said it was most likely a Western intelligence agency looking to conduct targetted attacks instead.