Microsoft hole allowed hackers to sign code

Summary:Microsoft has discovered a flaw in one of its services that allows hackers to digitally sign code as though it were written by the Redmond-based company itself.

Microsoft has discovered a flaw in one of its services that allows hackers to digitally sign code as though it were written by the Redmond-based company itself.

(Keys image by Linus Bohman, CC BY 2.0)

Over the weekend, the software giant released a security advisory with the alert that it had found unauthorised digital certificates in the wild that, if used, could sign code as if Microsoft had written it, without having to access Microsoft's public key infrastructure.

In a blog post, Jonathan Ness from Microsoft Security Response Centre Engineering said that the company initially discovered the security incident when it identified that an older cryptography algorithm could be exploited and then sign code. Although Ness didn't identify what the algorithm is for, he said that the issue has been traced back to its Terminal Services licensing authority.

This authority was only meant to provide a certificate when an enterprise customer requests a Terminal Services activation licence, but, as it turns out, the certificate also allowed code to be signed on behalf of Microsoft.

Microsoft has since stopped issuing these certificates, and has revoked its trust in the authority in question to prevent unauthorised certificates from being trusted. However, users must either revoke their trust in the affected authorities (specifically, two certificates for "Microsoft Enforced Licensing Intermediate PCA" and one for "Microsoft Enforced Licensing Registration Authority CA SHA1"), or alternatively apply the patch that Microsoft has put out to automatically do this.

Users who still have the authorities listed as trusted could potentially fall victim to spoofed content, phishing attacks and man-in-the-middle attacks.

Although the recent Flame malware has been linked to everything from Bluetooth to Angry Birds, Ness pointed out that the unauthorised certificates also have a link. He wrote that components of Flame were "signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and, ultimately, to the Microsoft Root Authority".

Topics: Microsoft, Security, Windows

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.