"What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure."
In short, a spectacular security fuck-up. Their phone-home DRM is also a valid signing key whose trust chain goes all the way back up to the default-trusted Microsoft certificate .. oh darn! They are now doing a full-court press claiming the signing certificate was "un-authorized". D'oh. They left the keys in the door lock.
Be aware that Flame is incredibly sophisticated – if you think it can do it, it can.
On a related note ... as long rumored, Stuxnet was a joint US/Israeli effort. It is no co-incidence that severe malware findings come from non-US researchers.
References
http://www.f-secure.com/weblog/archives/00002377.html
http://www.securityweek.com/microsoft-unauthorized-certificate-was-used-sign-flame-malware
http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx
http://technet.microsoft.com/en-us/security/advisory/2718704
http://www.scmagazineuk.com/failure-to-detect-flame-marks-the-end-of-signature-based-anti-virus/article/243505/
http://www.theregister.co.uk/2012/05/29/flame_cyberweapon_analysis/
http://www.theregister.co.uk/2012/05/28/kaspersky_discovers_flame_worm/
http://forums.theregister.co.uk/forum/1/2012/06/04/microsoft_douses_flame/
\
No comments:
Post a Comment