Flame Singes Microsoft Security Certificates
The Flame malware that's been creeping through computer systems in the Middle East used Microsoft digital certificates to launch attacks. Redmond has issued a security advisory and shut down the affected certs. Microsoft found that certificates issued by its Terminal Services licensing certification authority could be used to sign code without accessing the company's internal public key infrastructure.
06/04/12 2:44 PM PT
Microsoft issued a security advisory over the weekend after it was discovered that the Flame malware has been spoofing its digital certificates to launch attacks.
The company also shut down three affected certificates and stopped its Terminal Server Licensing Service from issuing certificates that allows code to be signed.
Microsoft built an emergency update to revoke the trust placed in the three affected certificates, and has made it available through its Windows Update and Automatic Updates services. The update automatically adds those certificates to the Untrusted Certificate Store.
"I think Microsoft acted with appropriate speed and certainly didn't damage its credibility," Roger Thompson, chief emerging threats researcher at ICSA Lab, told TechNewsWorld.
While Flame's spoofing of Microsoft digital certs "was definitely an unwelcome fire drill for the PR folks, it's likely to fade from memory quite quickly," Randy Abrams, an independent security consultant, told TechNewsWorld. "This was ... a highly sophisticated and targeted attack so the impact is not seen by many people at all."
What Happened With Microsoft Certs
Three Microsoft certificates were spoofed by Flame. Redmond's investigations found that these link up to a sub-certification authority issued under the Microsoft Root Authority.
Microsoft found that certificates issued by its Terminal Services licensing certification authority could be used to sign code without accessing the company's internal public key infrastructure (PKI).
The three certificates are two versions of the Microsoft Enforced Licensing Intermediate PCA, issued by the Microsoft Root Authority; and a Microsoft Enforced Licensing Registration Authority certificate authority (SHA1), issued by the Microsoft Root Certificate Authority.
Spoofed certs let attackers sign code that's then validated as having been produced by Microsoft.
Microsoft spokesperson Kyle Henderson pointed to the company's various blogposts on the Flame hack in response to requests for further details.
The Illusory Safety of Digital Certs
"A digital certificate on a file means one and only one thing -- that the file has not changed since it was signed," said security consultant Abrams, who used to work in a group at Microsoft that was responsible for the safekeeping of digital certificates. "Anything else attributed to the meaning of the digital signature is a delusion and is not founded in fact. A digital signature does not mean that a file is good or harmless. It does not mean that due diligence was done in investigating the background of the entity it was issued to."
Digital certs "would detect if a piece of code had been infected by a virus after the code had been signed, but if the developer's machine was already infected, then the signed code would also be infected," ICSA Lab's Thompson pointed out. If the signing code has been stolen, the user won't be able to tell who actually created the code either.
Abusing digital certificates "has been in the malware bag of tricks for a long time," Abrams stated.
In 2011, two major instances of hackers using spoofed digital certificates rocked the Internet. In March, hackers broke into a registration authority associated with Comodo and issued fake SSL certificates for Google, Yahoo, Skype and other domains. In August, DigiNotar was hacked, and the hackers used the stolen certs to attack Google. The same hacker claimed responsibility for both attacks.
Misusing Digital Certs
Whether or not it's easy to abuse digital security certs depends on whom you talk to.
Abusing digital certs is not an easy attack vector because "you've got to steal the certs, or figure out how to make your own with an exploit, as in this case," ICSA Lab's Thompson said.
However, "many people and companies do not understand the need to robustly secure their digital certificates, so stealing and misusing certificates is easy," Abrams said. "The problem is pervasive enough that antivirus companies had to stop using the presence of a certificate as an indicator of legitimacy, which it never really was anyway."
Flame's spoofing of Microsoft digital certs raises the question of whether the credibility of the certs, and therefore the trust the Internet's based on, may have taken a few more lumps.
"Sadly, I expect it will be business as usual," ICSA Lab's Thompson said. "Part of the problem is lack of understanding of the issues, but a bigger question is, what's the better alternative? I can't think of one so far."