Even though Flame‘s triggermen launched their malware through a “collision” attack that appears limited to hundreds of computers in the Middle East, mainly Iran, the same Windows vulnerability they used could be exploited through less sophisticated means and to target exponentially more machines.
That’s why Microsoft on Monday evening EST clarified the advisory it released Sunday, which detailed an emergency patch necessary to prevent hackers from using bogus Microsoft digital certificates “to spoof content, perform phishing attacks, or perform man-in-the-middle attacks” — all with the goal of stealing sensitive information.
“Our firm guidance is that customers should apply the update as soon as possible for one simple reason: The fact that malware can be created by attackers and made to look like it is from Microsoft would result in malware being installed,” Microsoft Security Response Center Director Mike Reavey wrote in a blog post.
Flame spread via collision attacks, which can occur when two unique pieces of data have the same hash values. According to US-CERT, the cryptographic hash function MD5 is susceptible to collision attacks. Digital certificates, such as those issued by Microsoft, commonly employ MD5 signatures.
“The Flame malware used a cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft,” Reavey wrote. “However, code-signing without performing a collision is also possible. This is an avenue for compromise that may be used by additional attackers on customers not originally the focus of the Flame malware.”
Mikko Hypponen, chief research officer at Finnish security firm F-Secure and who has been closely following the Flame developments, wondered Monday in a blog post how devastating the exploit could have been.
“I guess the good news is that this [Flame] wasn’t done by cyber criminals interested in financial benefit,” he wrote. “They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency.”