Microsoft certificate used to sign Flame malware, issues warning

Microsoft has issued an emergency security patch after it found components of the Flame malware were signed with one of its trusted digital certificates that "chained up" to the Microsoft Root Authority.

The software giant said it had "immediately began examining the issue".

Flame, described by Kaspersky researchers as the “most complex threat” ever discovered, was discovered in a series of machines in what is understood to be a state-sponsored attack.

"Our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks," Mike Reavey, senior director to Microsoft's Security Response Center (MSRC), said in a blog post.

Having said that, the out-of-the-blue advisory fails to actively note that the malware affects virtually every currently supported version of Windows. Despite this, because of the highly-targeted nature of the malware, most Windows users are not at risk.

In response, Microsoft has issued a security advisory warning its digital certificates could allow "spoofing", and has revoked the two intermediate certificate authorities.

However, the security bulletin does not make clear who had access to these certificates, or whether they were abused by authorised personnel. It may be that they were compromised and abused by an unauthorised user.

Microsoft has also released a Windows Update patch that customers are advised to install immediately.

MSRC's Jonathan Ness explained: "What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft."

The company will therefore discontinue issuing certificates that could be used to sign code via the Terminal Services activation process.

Image credit: Robert S. Donovan/Flickr.

Related:

• Flame: 'Most complex' cyber-attack ever discovered
• CNET: Behind the 'Flame' malware spying on Mideast computers (FAQ)
• ZDNet: UK government ‘planning to launch Stuxnet-like attacks’ against hostile states
• CBS 60 Minutes: Stuxnet worm opens new era of warfare
• Stuxnet 2.0? Researchers find new ‘cyber-surveillance’ malware threat
• Hungarian Lab found Stuxnet-like Duqu malware
• ZDNet Government: Stuxnet may be the Hiroshima of our time
• CNET: Stuxnet delivered to Iranian nuclear plant on thumb drive
• Ex-CIA chief: Stuxnet a good idea
• CBS News: Video: Is Duqu the progeny of Stuxnet?