Microsoft certificate used to sign Flame malware, issues warning

Microsoft has issued a security advisory warning and a high-priority update after parts of the Flame malware were signed with Microsoft-issued certificates.
Written by Zack Whittaker, Contributor

Microsoft has issued an emergency security patch after it found components of the Flame malware were signed with one of its trusted digital certificates that "chained up" to the Microsoft Root Authority.

The software giant said it had "immediately began examining the issue".


Flame, described by Kaspersky researchers as the “most complex threat” ever discovered, was discovered in a series of machines in what is understood to be a state-sponsored attack.

"Our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks," Mike Reavey, senior director to Microsoft's Security Response Center (MSRC), said in a blog post.

Having said that, the out-of-the-blue advisory fails to actively note that the malware affects virtually every currently supported version of Windows. Despite this, because of the highly-targeted nature of the malware, most Windows users are not at risk.

In response, Microsoft has issued a security advisory warning its digital certificates could allow "spoofing", and has revoked the two intermediate certificate authorities.

However, the security bulletin does not make clear who had access to these certificates, or whether they were abused by authorised personnel. It may be that they were compromised and abused by an unauthorised user.

Microsoft has also released a Windows Update patch that customers are advised to install immediately.

MSRC's Jonathan Ness explained: "What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft."

The company will therefore discontinue issuing certificates that could be used to sign code via the Terminal Services activation process.

Image credit: Robert S. Donovan/Flickr.


Editorial standards