June 05, 2012

Microsoft calls on users to fix Flame security bug

Microsoft calls on users to fix Flame security bug
Microsoft calls on users to fix Flame security bug

Even though Flame's triggermen launched their malware through a "collision" attack that appears limited to hundreds of computers in the Middle East, mainly Iran, the same Windows vulnerability they used could be exploited through less sophisticated means and to target exponentially more machines.

That's why Microsoft on Monday evening EST clarified the advisory it released Sunday, which detailed an emergency patch necessary to prevent hackers from using bogus Microsoft digital certificates "to spoof content, perform phishing attacks, or perform man-in-the-middle attacks" -- all with the goal of stealing sensitive information.

"Our firm guidance is that customers should apply the update as soon as possible for one simple reason: The fact that malware can be created by attackers and made to look like it is from Microsoft would result in malware being installed," Microsoft Security Response Center Director Mike Reavey wrote in a blog post.

Flame spread via collision attacks, which can occur when two unique pieces of data have the same hash values. According to US-CERT, the cryptographic hash function MD5 is susceptible to collision attacks. Digital certificates, such as those issued by Microsoft, commonly employ MD5 signatures.

"The Flame malware used a cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft," Reavey wrote. "However, code-signing without performing a collision is also possible. This is an avenue for compromise that may be used by additional attackers on customers not originally the focus of the Flame malware."

Mikko Hypponen, chief research officer at Finnish security firm F-Secure and who has been closely following the Flame developments, wondered Monday in a blog post how devastating the exploit could have been.

"I guess the good news is that this [Flame] wasn't done by cyber criminals interested in financial benefit," he wrote. "They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency."

Related Articles
Related Topics

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.