Forgot your password?
typodupeerror
Microsoft Security The Internet News

Microsoft Certificate Was Used To Sign Flame Malware 194

Posted by samzenpus
from the signing-dirty dept.
wiredmikey writes "Microsoft disclosed that 'unauthorized digital certificates derived from a Microsoft Certificate Authority' were used to sign components of the recently discovered Flame malware. 'We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,' Microsoft Security Response Center's Jonathan Ness wrote in a blog post. Microsoft is also warning that the same techniques could be leveraged by less sophisticated attackers to conduct more widespread attacks. In response to the discovery, Microsoft released a security advisory detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers. Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed."
This discussion has been archived. No new comments can be posted.

Microsoft Certificate Was Used To Sign Flame Malware

Comments Filter:
  • Re:Nice Headline (Score:5, Insightful)

    by K. S. Kyosuke (729550) on Monday June 04, 2012 @09:58AM (#40208227)
    What exactly do you mean by "counterfeit"? If the signing key was signed by the genuine Microsoft key, how does that objectively differ from all the other signing keys?
  • UEFI (Score:5, Insightful)

    by Anonymous Coward on Monday June 04, 2012 @10:01AM (#40208263)

    And this is how they plan to monopolize Secure Boot (UEFI) and get rid of Linux? why should I trust that ONE KEY that microsoft plans to install on all motherboards?

    JP

  • by peppepz (1311345) on Monday June 04, 2012 @10:09AM (#40208345)
    First they came for ARM on the desktop, and I didn't speak because I didn't care...
  • by mcgrew (92797) * on Monday June 04, 2012 @10:13AM (#40208389) Homepage Journal

    So much for "SafeBoot". maybe we shoulc now start calling it "unsafe boot"?

  • by Spyder (15137) on Monday June 04, 2012 @10:28AM (#40208563)

    Stuxnet was signed by stolen certificates: http://www.securelist.com/en/analysis/204792208/Stuxnet_Duqu_The_Evolution_of_Drivers?print_mode=1 [securelist.com] . it's possible that Flamer was signed by compromised certificates, but if we believe that Stuxnet and Duqu were the products of a nation state level actor then we could conclude that Flamer is in the same category.

  • by Spiked_Three (626260) on Monday June 04, 2012 @10:32AM (#40208613)
    "This is just speculation- I don't know any of this for sure, or have any special knowledge of the situation. But it does add up to being at least plausible."

    I have a little knowledge, not a lot, and yes this is exactly the kind of thing that can happen. it is quite impressive what happens when as a company you tell NSA no. In my limited experience, it changes to yes less than a month later.

    Simple reality, microsoft probably let a bug/flaw slip through a while back, if that was not the case then they were told to. laugh all you want, but if any other operating system had been the target, do you think the outcome would have been any different? oh, and here is another amazing fact; it will happen again if desired.
  • by betterunixthanunix (980855) on Monday June 04, 2012 @10:49AM (#40208811)

    That is not true for ARM "Windows 8 Ready" platforms, but seriously who cares about ARM on the desktop?

    Maybe you are not creative enough to think of a reason to use ARM on a desktop? I can think of some:

    1. Low power situations -- I have a little ARM desktop that uses only 4W of power; this would be great if I were in a situation where I had to generate my own power, e.g. in a boat, in an RV, in a shack somewhere, etc.
    2. Low cost computers e.g. Raspberry Pi.

    There you go, some situations where an ARM desktop might make sense. Really though, this misses the more important point: why should a computer user ever be barred from installing the software they want to install? Allowing people to install new signing keys for their computer is not at all unreasonable; it could be as simple as pressing a button and inserting a thumb drive (enough effort to make social engineering harder, but not so much effort that an untrained person would not be able to handle it).

  • by recoiledsnake (879048) on Monday June 04, 2012 @11:26AM (#40209221)

    No, first they came for phones and tablets, and they can barely keep them in stock with people falling over themselves and risking stampedes to buy them.

    http://www.macobserver.com/tmo/article/gartner_apple_turns_its_complete_inventory_every_5_days/ [macobserver.com]

    But somehow it's fashionable only to slag Microsoft on here and ignore the elephant in the room with the lion's share of devices and profits.

  • by 0123456 (636235) on Monday June 04, 2012 @11:27AM (#40209229)

    The same way they train home users to install another OS?

    Boot from CD and hit 'Install'?

    Nope. Not going to work in the Glorious People's Secure Boot Dictatorship.

    In fact, I presume you won't even be able to boot from CD without disabling 'Secure Boot' in the BIOS.

  • Re:UEFI (Score:5, Insightful)

    by betterunixthanunix (980855) on Monday June 04, 2012 @11:39AM (#40209353)

    the vendor can just pay $99

    The fact that this is phrased in terms of "vendors" should indicate that this is an attack on user freedom. A fee to install your signing key creates obstacles for anyone who wants to fork a GNU/Linux distribution (happens all the time), anyone who wants to create their own distribution, and anyone who wants to try "Linux from Scratch" (and I know of a few people who have done so). It also creates an obstacle for anyone who wants to write their own kernel or OS; if Linus Torvalds had to pay $99, the Linux kernel itself may never have been created.

    Even if you think that isn't "simple" enough

    The fact that money is involved makes it a major barrier, and counts very strongly against the process being "simple" (it requires a payment to be processed, a third party to the new key, etc. -- you cannot even test a system without the fee; compare with TLS, where you can generate a usable test certificate without paying anyone).

    the feature can just be disabled on x86 machines.

    Only if the motherboard manufacturer allows it, and this is not allowed on ARM machines that will run Windows 8. Considering the inroads ARM has made into personal computing, I do not think it is unfair to say that the decisions made today about ARM computers will shape the reality of personal computing over the next decade. We are already seeing this happening; app stores are the norm, people are talking about trendy apps, etc.

  • Today's Lesson (Score:5, Insightful)

    by Adrian Lopez (2615) on Monday June 04, 2012 @12:06PM (#40209661) Homepage

    So... what did we learn today?

    1. Signed code is not safe code.
    2. An insecure operating system that only runs signed code is still an insecure operating system.

  • So let me get this straight...you installed a TWELVE YEAR OLD OS and then are BITCHING because the company actually gave you patches instead of forcing you to upgrade like the OS you are singing the praises of? please stay with Linux, you are obviously too big of a dumbass to run Windows.

...when fits of creativity run strong, more than one programmer or writer has been known to abandon the desktop for the more spacious floor. - Fred Brooks, Jr.

Working...