|
Microsoft on Sunday revoked several of its own digital certificatesafter discovering that the makers of the Flame super-cyber spy kit figured out a way to sign their malware with the company's digital"signature." The weekend emergency update for all versions of Windows --including the just-shipped Windows 8 Release Preview -- wasunusual, perhaps hinting at the seriousness of the flaw. [ Also on InfoWorld: Flamer starts a flame war over origin . Windows 8 is coming, and InfoWorld can help you get ready withthe Windows 8 Deep Dive PDF special report , which explains Microsoft's bold new direction for Windows, thenew Metro interface for tablet and desktop apps, the transitionfrom Windows 7, and more. Stay abreast of key Microsofttechnologies in our Technology: Microsoft newsletter . ] At least one security expert saw it that way. "This is a big deal,"said Andrew Storms, director of security operations at nCircleSecurity, in an interview Sunday conducted via instant messaging. Big because a flaw in Microsoft's Terminal Services licensingcertificate authority (CA), which is normally used by enterprisesto authorize remote desktop services and sessions, allowedattackers to generate digital certificates that could be used to"sign," or validate, code in Flame. Flame is a massive espionage tool -- 20 to 40 times larger than Stuxnet, the worm that sabotagedIran's nuclear fuel enrichment facilities -- that infiltratesnetworks, scouts out the digital landscape, then uses a variety ofmodules to pilfer information. It appears Flame was aimed primarily at Iranian targets, as themajority of infected machines are in that country. "Flame is using valid but fake Microsoft certificates to sign thecode through a bug in their CA system via Terminal Services,"Storms summarized. "So when the code was checked for validity, itproperly linked back to the root and was accepted as okay." The end result: Parts of Flame appeared innocuous because for allintents and purposes, they were signed by Microsoft itself. Microsoft addressed the flaw by revoking three certificates, andissuing an update to all versions of Windows that added thosecertificates to the revocation list. Even Windows 8 -- both the Consumer Preview and last week's ReleasePreview -- was affected, and will receive the certificaterevocation update, Microsoft said in a security advisory released Sunday. To prevent other attackers from doing the same -- and spoofingcertificates on unpatched PCs -- Microsoft also modified theTerminal Server licensing service so it can no longer issuecode-signing certificates. That should not pose a problem for legitimate users of TerminalServices, said Storms. "Basically, users shouldn't worry," he said."The [Terminal Services] hosts will re-authorize and will getissued new certificates." Microsoft did not say which modules of Flame were code-signed bythe fraudulent certificates. But Finnish antivirus firm F-Securetoday claimed it had identified one such module. I am an expert from hzrebtech.com, while we provides the quality product, such as China Sweet Wormwood Extract , Chinese Herbal Extract Manufacturer, Deoxyarbutin Powder,and more.
Related Articles -
China Sweet Wormwood Extract, Chinese Herbal Extract Manufacturer,
|
