2

Microsoft Security Advisory notices do not, as a rule, make the media sit up and take much notice. Not least as they have become relatively commonplace over the years, but every now and then one comes along which may grab some press attention. Take MSA 2718704 for example.

dweb-microsoftflamed At first the advisory with the expanded title of "Unauthorized Digital Certificates Could Allow Spoofing" issued on June 3rd doesn't hold out much hope in the immediately interesting stakes. However, when you realise that components of the Flame worm (as reported here on DaniWeb) were signed with a certificate that ultimately 'chained up' to the Microsoft Root Authority via the Microsoft Enforced Licensing Intermediate PCA Certificate Authority, and exposed a potentially serious problem with such code-signing certificates that could enable malware code to be validated as a Microsoft product, the interest starts to become clear.

Following the exposure of the Flame worm, Microsoft started investigating and discovered that a particular old crypto algorithm could be exploited in such a away as to enable certificates issued by the Microsoft Terminal Services licensing certification authority (for Remote Desktop services authorization in the enterprise) to be used to sign code as Microsoft itself without accessing the Microsoft internal PKI infrastructure which exists to prevent such abuse, rather than the intended use which is limited license server verification.

Of course, it's not just Flame that's the problem here; such unauthorised certificates could spoof content used for phishing purposes or even man-in-the-middle banking attacks. As such Microsoft has released an emergency patch which revokes the trust of a number of intermediate CA certificates across all supported releases of the Windows platform. Microsoft has now discontinued issuing certificates usable for code signing via the Terminal Services activation and licensing process.

Edited by Dani: Unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

2
Contributors
1
Reply
11
Views
5 Years
Discussion Span
Last Post by LastMitch
0

Following the exposure of the Flame worm, Microsoft started investigating and discovered that a particular old crypto algorithm could be exploited in such a away as to enable certificates issued by the Microsoft Terminal Services licensing certification authority (for Remote Desktop services authorization in the enterprise) to be used to sign code as Microsoft itself without accessing the Microsoft internal PKI infrastructure which exists to prevent such abuse, rather than the intended use which is limited license server verification.

Microsoft really needs to improve their softwares meaning enable security prevent these strings of fake. This can't keep happening.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.