Slashdot Mirror


Microsoft Certificate Was Used To Sign Flame Malware

wiredmikey writes "Microsoft disclosed that 'unauthorized digital certificates derived from a Microsoft Certificate Authority' were used to sign components of the recently discovered Flame malware. 'We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,' Microsoft Security Response Center's Jonathan Ness wrote in a blog post. Microsoft is also warning that the same techniques could be leveraged by less sophisticated attackers to conduct more widespread attacks. In response to the discovery, Microsoft released a security advisory detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers. Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed."

5 of 194 comments (clear)

  1. UEFI by Anonymous Coward · · Score: 5, Insightful

    And this is how they plan to monopolize Secure Boot (UEFI) and get rid of Linux? why should I trust that ONE KEY that microsoft plans to install on all motherboards?

    JP

    1. Re:UEFI by betterunixthanunix · · Score: 5, Insightful

      the vendor can just pay $99

      The fact that this is phrased in terms of "vendors" should indicate that this is an attack on user freedom. A fee to install your signing key creates obstacles for anyone who wants to fork a GNU/Linux distribution (happens all the time), anyone who wants to create their own distribution, and anyone who wants to try "Linux from Scratch" (and I know of a few people who have done so). It also creates an obstacle for anyone who wants to write their own kernel or OS; if Linus Torvalds had to pay $99, the Linux kernel itself may never have been created.

      Even if you think that isn't "simple" enough

      The fact that money is involved makes it a major barrier, and counts very strongly against the process being "simple" (it requires a payment to be processed, a third party to the new key, etc. -- you cannot even test a system without the fee; compare with TLS, where you can generate a usable test certificate without paying anyone).

      the feature can just be disabled on x86 machines.

      Only if the motherboard manufacturer allows it, and this is not allowed on ARM machines that will run Windows 8. Considering the inroads ARM has made into personal computing, I do not think it is unfair to say that the decisions made today about ARM computers will shape the reality of personal computing over the next decade. We are already seeing this happening; app stores are the norm, people are talking about trendy apps, etc.

      --
      Palm trees and 8
  2. Re:Yay for security! by peppepz · · Score: 5, Insightful

    First they came for ARM on the desktop, and I didn't speak because I didn't care...

  3. Re:Surprised this isn't regulated more closely by mcgrew · · Score: 5, Insightful

    So much for "SafeBoot". maybe we shoulc now start calling it "unsafe boot"?

  4. Re:Yay for security! by 0123456 · · Score: 5, Insightful

    The same way they train home users to install another OS?

    Boot from CD and hit 'Install'?

    Nope. Not going to work in the Glorious People's Secure Boot Dictatorship.

    In fact, I presume you won't even be able to boot from CD without disabling 'Secure Boot' in the BIOS.