Flame malware used man-in-the-middle attack against Windows Update

Filed Under: Featured, Malware, Microsoft, Vulnerability, Windows

Microsoft update revoking Flame compromised certificatesMicrosoft has released an emergency update for all versions of Windows to address a certificate flaw that was used to spread the Flame malware from machine to machine.

Of course you have to trust that your connection to Windows Update is not being attacked while you're retrieving the update that prevents you from being attacked.

This is not the first time we have seen malware abusing digital certificates, but this one is a bit more advanced than previous attacks.

What happened? The Flame malware needed a way to silently infect machines in the target environment, without making the mistake of spreading where it shouldn't like Stuxnet did.

Flame-infected computers can be instructed to impersonate a Web Proxy Autodiscovery Protocol (WPAD) server. Windows machines set for automatic proxy detection (the default) will try to contact a server called wpad.(company domain name) to check for instructions for when to use a HTTP proxy.

Windows Update logoFlame would tell machines on the network that the infected computer was to be used for proxying requests to Microsoft's Windows Update service. Ordinarily this would not work, as Microsoft signs updates with their special digital certificates to ensure you only receive updates that are tamper proof.

But the Flame authors had discovered a critical flaw in Microsoft's certificate infrastructure. The Microsoft Terminal Server Licensing service is used for license management and authorization in many enterprise environments. Microsoft had been mistakenly issuing certificates for use on these servers that could be used to digitally sign code.

Flame appears to have used one of these certificates to sign its payload and perform a man-in-the-middle attack to inject it onto additional machines on the same network. It isn't clear whether it was a certificate obtained legitimately from Microsoft or whether weak ciphers were targeted.

Two of the three certificates Microsoft revoked in this update used the MD5 hashing scheme. It has been demonstrated in the past that MD5 is prone to collisions, which may have also aided the Flame authors in successfully making it look like the malware was from Microsoft.

Managing encryption, ciphers and digital signatures is no easy task and a simple mistake like Microsoft accidentally issuing certificates that can be used to sign code using outdated ciphers is enough to put everyone at risk.

The idea of someone with malicious intent impersonating Windows Update has been discussed for years in the security community. It is sort of a nightmare scenario and I suppose it is good news that it was being used in such a limited way.

Few computers were compromised using this malware compared to the impact we would see if traditional opportunistic malware exploited this flaw. Fortunately the average user will now be protected from this attack moving forward.

These certificates can also be used for signing software for Microsoft's Windows Mobile and Windows Phone 7 devices, but no patch is available as of yet.

I think a friend of mine in the local Vancouver security community put it best: "Maybe 'Genuine Microsoft Advantage' should check the *other* side of the transaction?"

, , , , , , ,

You might like

5 Responses to Flame malware used man-in-the-middle attack against Windows Update

  1. Joy Guy-Pippen · 872 days ago

    Love your information. You have been so helpful. I am a computer dummy and that makes the info you give so helpful to me!!!!!

  2. njorl · 872 days ago

    This is the second-most shocking thing I've heard this year.

    If we combine the unresolved matter of Windows' secret NSA_KEY (http://cryptome.org/nsakey-ms-dc.htm - sorry, couldn't find a Sophos piece but think I had read one) with the clear possibility that the team behind Flame is the one that gave us Stuxnet - comprising the US Ministry of Peace (http://nakedsecurity.sophos.com/2012/06/01/stuxnet-usa-israel-iran-virus/), little imagination seems necessary for conjecturing a conspiracy.

    However, I'll put conspiracy theories aside and be drawn to the easy pleasures of attacking Microsoft.

    The secure update channel is a very important concept, and I'd expect serious, continual, focus on maintaining the security, on top the careful analysis undertaken in the original design.

    Yet, the article suggests that MS continued to rely on an early algorithm (MD5) that, some time ago, had been established as insufficiently hard in the face of contemporary computing power, and that MS has copied some of the update encryption keys for unrelated purposes that involve distribution to third parties.

    Finally, MS appears to have made public that the exploit can be employed against Windows phones before it's ready to protect them.

    So, I can't see MS has a right to retain any credibility.

    What worries me even more is that I now have Flash and Reader happily moving their own, autonomous, updates onto my computers. If I can't trust Microsoft to guard its update channel, what faith can I place in Adopey?

    This story follows nicely on the heals of the FBI warning about hotel networks delivering malware-loaded "updates" (http://nakedsecurity.sophos.com/2012/05/10/fbi-hotel-malware-threat/).

    I'd advise turning off all automatic updates (including the program updates of your antivirus suite), except when your Windows device is connected to your own network, until the software providers publish satisfactory security audits of their mechanisms.

    We've been taking too much for granted.

  3. Allen · 867 days ago

    Hey just a question, how do I tell if the one I installed was legit? I mean did I have to reboot my system? Because after it installed the update it didn't say I had to reboot.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.