Monday, June 4, 2012

Flame Wars

This is not a theoretical tin-foil-hat news update - this is history.  Apparently, unlike StuxnetFlame has been hiding in plain sight carried by valid signed applications for at least two years.   Microsoft says: 
"What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure."
In short, a spectacular security fuck-up.  Their phone-home DRM is also a valid signing key whose trust chain goes all the way back up to the default-trusted Microsoft certificate .. oh darn!   They are now doing a full-court press claiming the signing certificate was "un-authorized".  D'oh.  They left the keys in the door lock. 


Be aware that Flame is incredibly sophisticated – if you think it can do it, it can

On a related note ... as long rumored, Stuxnet was a joint US/Israeli effort.  It is no co-incidence that severe malware findings come from non-US researchers. 

References
http://www.f-secure.com/weblog/archives/00002377.html

http://www.securityweek.com/microsoft-unauthorized-certificate-was-used-sign-flame-malware
http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx
http://technet.microsoft.com/en-us/security/advisory/2718704
http://www.scmagazineuk.com/failure-to-detect-flame-marks-the-end-of-signature-based-anti-virus/article/243505/
http://www.theregister.co.uk/2012/05/29/flame_cyberweapon_analysis/
http://www.theregister.co.uk/2012/05/28/kaspersky_discovers_flame_worm/
http://forums.theregister.co.uk/forum/1/2012/06/04/microsoft_douses_flame/
\