Microsoft has discovered a flaw in one of its services that allows hackers to digitally sign code as though it were written by the Redmond-based company itself.
Over the weekend, the software giant released a security advisory with the alert that it had found unauthorised digital certificates in the wild that, if used, could sign code as if Microsoft had written it, without having to access Microsoft's public key infrastructure.
In a blog post, Jonathan Ness from Microsoft Security Response Centre Engineering said that the company initially discovered the security incident when it identified that an older cryptography algorithm could be exploited and then sign code. Although Ness didn't identify what the algorithm is for, he said that the issue has been traced back to its Terminal Services licensing authority.
This authority was only meant to provide a certificate when an enterprise customer requests a Terminal Services activation licence, but, as it turns out, the certificate also allowed code to be signed on behalf of Microsoft.
Microsoft has since stopped issuing these certificates, and has revoked its trust in the authority in question to prevent unauthorised certificates from being trusted. However, users must either revoke their trust in the affected authorities (specifically, two certificates for "Microsoft Enforced Licensing Intermediate PCA" and one for "Microsoft Enforced Licensing Registration Authority CA SHA1"), or alternatively apply the patch that Microsoft has put out to automatically do this.
Users who still have the authorities listed as trusted could potentially fall victim to spoofed content, phishing attacks and man-in-the-middle attacks.
Although the recent Flame malware has been linked to everything from Bluetooth to Angry Birds, Ness pointed out that the unauthorised certificates also have a link. He wrote that components of Flame were "signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and, ultimately, to the Microsoft Root Authority".