Microsoft Certificate Was Used To Sign Flame Malware

wiredmikey writes "Microsoft disclosed that 'unauthorized digital certificates derived from a Microsoft Certificate Authority' were used to sign components of the recently discovered Flame malware. 'We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,' Microsoft Security Response Center's Jonathan Ness wrote in a blog post. Microsoft is also warning that the same techniques could be leveraged by less sophisticated attackers to conduct more widespread attacks. In response to the discovery, Microsoft released a security advisory detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers. Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed."

Re:Yay for security!

[the_B0fh]

No, *MOTHERBOARD* manufacturers can add other keys. If you can't even boot to an alternative OS, there's no way in hell you could _CHANGE_ the damned keys, unless there was a vulnerability.

So please stop your FUD.

Re:Nice Headline

[joeflies]

It was not a counterfeit microsoft certificate. It was a legitimate microsoft certificate from Terminal Server Licnensing Service, but used for purposes other than it was intended.

Re:Yay for security!

[Anonymous Coward]

Wrong. On the x86_64 platform you will be able to boot into BIOS and add a new root key.

That is not true for ARM "Windows 8 Ready" platforms, but seriously who cares about ARM on the desktop?

Re:Surprised this isn't regulated more closely

[fuzzyfuzzyfungus]

The Feds may also be leaning on MS/Verisign/whoever; but this instance appears to be one of rather serious fuck-uppery. From MS's blog entry:

"What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure."

So, guys, turns out that we accidentally built our phone-home DRM such that the cryptographic "OK, your CALS are worthy unto Redmond and thou mayst remote desktop" message is also a valid signing key with a chain of trust going right back up to a default-trusted Microsoft cert... Oops.

Now, given that (so far as we know, clearly team AV isn't in any position to tell us) this little mistake was not widely known or exploited, clearly the Flame guys were on the ball(and far more interested in spying on Iran or whoever than in improving the security of domestic computers... thanks a whole fucking lot on that one, feds).

Re:Nice Headline

[Psykechan]

The certs issues from the Terminal Server Licensing Service were intended to be used only for connections and not code signing. This is Microsoft's blunder. They weren't actually licensing malicious certificates but they were giving people tools to issue what appeared to be valid certs coming from MS.

The fixes are going to be changing TSLS so that its certs can no longer be used to sign code and revoking the intermediate CA certs that are affected.

http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx [technet.com]

Re:UEFI

[KingMotley]

First of all the Secure Boot in UEFI wasn't mandated by Microsoft, it a feature they they have decided to implement. A feature any OS is free to implement, including linux.
Secondly, motherboard manufacturers are able to add (or pre-add) any key (or none at all) if they choose.
Thirdly, there is nothing keeping users from being able to install their own key (or additional keys) through the UEFI boot process, assuming the UEFI manufacturer provides one.

Really, stop spreading your FUD.

Re:UEFI

[betterunixthanunix]

First of all the Secure Boot in UEFI wasn't mandated by Microsoft

Except when it comes to Windows 8 on ARM systems. Then Microsoft does mandate secure boot.

A feature any OS is free to implement, including linux.

1. Linux is not an operating system, it is a kernel.
2. What difference does it make if other OSes support secure boot, if you cannot install those OSes as a result of secure boot being used?

Secondly, motherboard manufacturers are able to add (or pre-add) any key (or none at all) if they choose.

This is a cop out; unless there is a simple way for users to install their own keys, this is something that will further restrict how people can use their computers. You can jailbreak your iPad if you want, but the majority of people have trouble doing so.

Thirdly, there is nothing keeping users from being able to install their own key (or additional keys) through the UEFI boot process, assuming the UEFI manufacturer provides one.

...which is something Microsoft pressures them not to do on ARM devices:

https://www.softwarefreedom.org/blog/2012/jan/12/microsoft-confirms-UEFI-fears-locks-down-ARM/ [softwarefreedom.org]

Really, stop spreading your FUD.

What FUD? We said years ago that iPad style lock-down is coming to desktops and laptops; now we have moved a step closer. There is a lot of money to be made from attacking computer users' freedom, and now that Apple has pulled in billions of dollars doing so, everyone else wants to join the party.

Re:UEFI

[a90Tj2P7]

This is a cop out; unless there is a simple way for users to install their own keys, this is something that will further restrict how people can use their computers.

There is. UEFI isn't new, nor is secure boot. The only thing new is MS wanting to make it . There's a process for adding keys. Or the vendor can just pay $99 to Verisign like Fedora's doing. Even if you think that isn't "simple" enough, the feature can just be disabled on x86 machines.