Slashdot Mirror


Microsoft Certificate Was Used To Sign Flame Malware

wiredmikey writes "Microsoft disclosed that 'unauthorized digital certificates derived from a Microsoft Certificate Authority' were used to sign components of the recently discovered Flame malware. 'We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,' Microsoft Security Response Center's Jonathan Ness wrote in a blog post. Microsoft is also warning that the same techniques could be leveraged by less sophisticated attackers to conduct more widespread attacks. In response to the discovery, Microsoft released a security advisory detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers. Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed."

5 of 194 comments (clear)

  1. Surprised this isn't regulated more closely by danbuter · · Score: 5, Interesting

    I kind of thought Microsoft would make damn sure someone else couldn't duplicate their signatures (barring an employee or a government doing it).

    1. Re:Surprised this isn't regulated more closely by Dogtanian · · Score: 4, Interesting

      I kind of thought Microsoft would make damn sure someone else couldn't duplicate their signatures (barring an employee or a government doing it).

      Given the blurb for this story that also appeared today...

      All three were most likely developed by a Western intelligence agency as part of covert operations [..] consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets

      I think that *this* part of your comment:-

      (barring an employee or a government doing it)

      may answer your own question. Aside from the fact that governments would have had massive resources to start off with, it's also probable that MS were (at least) forced to allow those governments access or involvement at some level to otherwise secure or confidential aspects of their software.

      If this is the case, then at the very least, they could have used such knowledge to give themselves an advantage. Going one step further, it's possible that they used or exploited this to help steal or get access to those keys.

      But given that it's widely claimed that the US government was involved in the creation of Stuxnet, it's equally plausible that MS willingly gave- or were pressurised into giving- them those certificates knowingly, even if they might not have known exactly what they were for.

      This is just speculation- I don't know any of this for sure, or have any special knowledge of the situation. But it does add up to being at least plausible.

      --
      "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
  2. Remember the Kernel Backdoor by Anonymous Coward · · Score: 4, Interesting

    I think it was an SHS exploit or something in the Windows Kernel. Steve Gibson stepped through the Kernel and concluded that this vulnerability was an intentionally placed backdoor, perhaps by a Microsoft employee. It's in one of his earlier podcasts. Lots of people thought maybe he was crazy at the time, but in retrospect ... maybe not so much.

  3. Re:Yay for security! by peppepz · · Score: 5, Interesting

    GP is perfectly right, if anything. Microsoft will control by default all bootloaders, and this event shows that Microsoft are unable to maintain their chain of trust. The fact that there can be (or not - cf. ARM) an undocumented, user-unfriendly, unspecified procedure to add other people's keys doesn't change a bit of that.

  4. Really? by Corson · · Score: 5, Interesting

    Flamer is out in the wild since cca. 2007, with a MS signed certificate, and the only IT security organization that decides to bring it to public attention is a Russian company, and the first removal tool is from a Romanian company. Isn't this a bit strange? Isn't it more likely that this NA-designed spyware targetting the Middle East was released with the tacit agreement of Western security companies and it only became known because the Russians, for some reason, decided they would not play the game? Microsoft being unaware for thw last few years that hundreds of computers are infected with a 20 MB spyware pack bearing a security certifice of their own? Come on...