The exploit of Microsoft's Windows Update system by thesophisticated Flame cyber espionage malware was a "significant"event in the history of Windows hacking, experts said today. And by its response, Microsoft appears to agree: It not only issuedan immediate fix just days after the malware's public unveilingwith one of its increasingly-rare "out-of-band" updates, but it hasturned its certificate-generation process upside down and willrevamp how it secures Windows updates. "It was a very significant," said Wolfgang Kandek, chief technologyofficer with Qualys, in an interview today. "It's the Holy Grail ofexploits, and until now it had only been done in research." Kandek wasn't the first to link the term "Holy Grail" with Flame:Earlier in the week, Mikko Hypponen, F-Secure's chief researchofficer and the first to announce that Flame was somehow usingWindows Update, called the feat "the Holy Grail of malware writers" and "the nightmare scenario" for antivirus researchers. And yesterday, Alexander Gostev, who leads Kaspersky's research andanalysis team, said the Windows Update deception was "better thanany zero-day exploit ... it actually looks more like a 'god mode'cheat code." What had those researchers reaching for superlatives was the Flamemakers' theft of digital "signatures," or certificates, thatlabeled code as Microsoft's, and then the use of those certificatesto "sign" malicious files that posed as legitimate Windows updates. The combination allowed Flame to infect fully-patched Windows XP, Vista and Windows 7 PCs that were on the same networkas an already-infected system. With a complex series of operations that involves three of its manymodules, "Snack," "Munch" and "Gadget," Flame sniffs out victims,intercepts connection requests to Windows Update and serves upmalware, including a copy of Flame, that masquerades as a validupdate. Third-party security researchers had mapped out those maneuvers andmodules, but until Microsoft's revelation that its certificates hadbeen fraudulently generated, didn't see the point. "Once they confirmed [the certificate theft], it filled in themissing puzzle pieces," Liam O Murchu, director of operations forSymantec's security response center, said in an email reply toquestions. "Without a Microsoft certificate these components didnot make sense." But it may be Microsoft's own moves since Monday, May 28, whenKaspersky Lab first released an analysis of Flame, that is the bestevidence of the hack's gravity. "You can get a pretty good idea by what Microsoft's done that theythink this is very urgent," said Kandek. "They released the patchon Sunday, even though Patch Tuesday was just a little over a weekaway." June's Patch Tuesday -- the name for Microsoft'sreligiously-scheduled security updates -- is next week. Microsoft revoked three certificates -- those used to sign code in Flame -- on Sunday, June 3, only sixdays after Kaspersky disclosed the malware, an extremely rapidresponse for the company. The same day, Microsoft modified theTerminal Services licensing certificate authority (CA), the onehackers had exploited, so it could no longer issue code-signingcertificates of any kind. It's rare that Microsoft issues an emergency update rather thanwait for the next Patch Tuesday. Last year, Microsoft shipped only one , and that was just two days before 2011's close. In 2010,Microsoft delivered four out-of-band updates and 104 on PatchTuesdays. On Wednesday Microsoft announced it would revamp how Windows updates are secured , saying that it would dedicate a new CA to Windows Update, ineffect unlinking the service from all other Microsoft-generatedcertificates. The update to end users and enterprises -- the latterfor WSUS, or Windows Server Update Services -- is to start reachingcustomers this week. Andrew Storms, director of security operations at nCircle Security,said that should have been how Microsoft treated Windows Updatefrom the get-go. "Windows Update should have been an entirely different[certificate] stream than anything else," said Storms. "It's justtoo darned important to have been intermingled with any other chainof trust. For all that Microsoft has done to better their securitypractices, I'm pretty surprised they didn't think of this attackvector previously." Storms was also critical of Microsoft's vague description of theirplans to harden Windows Update. "The Windows Update team needs to describe in more detail how theyare going to fix the problem. Until then, I bet a lot of peoplewill be thinking twice about the security of Windows Update," saidStorms. Users should deploy last Sunday's certificate revocation update assoon as possible, Microsoft has said, to protect themselves frompossible copy-cat hackers. Gregg Keizer covers Microsoft, security issues, Apple, Web browsersand general technology breaking news for Computerworld. FollowGregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com . Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center. We are high quality suppliers, our products such as Uninterrupted Power Supply Manufacturer , Product Showcase for oversee buyer. To know more, please visits Low Frequency Online UPS.
Related Articles -
Uninterrupted Power Supply Manufacturer, Product Showcase,
|