Vulnerabilities / Threats
6/14/2012
09:15 AM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Fights Flame Malware With Certificate Killer

Flame malware spoofed a Microsoft digital certificate to automatically install itself on targeted PCs, leading Microsoft to tweak Windows to receive a daily update listing untrusted certificates.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Flame malware includes a killer feature: It can install whole copies of itself on targeted Windows PCs, using built-in Windows Update functionality. The culprit was the malware's ability to spoof a Microsoft digital certificate, thus tricking Windows into thinking that the malware code was legitimate.

In response, Microsoft Wednesday released an automatic updater--available for Windows Vista, Windows 7, as well as Windows Server 2008 and 2008 R2--that keeps tabs on a list of known-bad digital certificates, including the one exploited by Flame. "This updater expands on the existing automatic root update mechanism technology that is found in Windows Vista and in Windows 7 to let certificates that are compromised or are untrusted in some way be specifically flagged as untrusted," according to Microsoft's related update notes.

"The goal of the new updater is to allow for updates to the untrusted certificate store in one day--or less--after a new bad certificate is known," said SANS Institute chief research officer Johannes B. Ullrich in a blog post. "A [bit] sad that we need this, but it does appear to be necessary to have a method to continuously update a bad certificate [list]," not least to stop malware of the Flame variety.

[ How did Flame work? Read Flame Malware Tapped World Class Crypto. ]

Revoking bad digital certificates is a tricky business. One approach has been to use a certificate revocation list (CRL), which includes the serial numbers of all certificates that have been revoked and should no longer be trusted. Meanwhile, Microsoft had also relied on the Online Certificate Status Protocol (OCSP), which is an Internet protocol used to set the revocation status of an X.509 digital certificate.

But neither CRL or OCSP are perfect. "Key revocation lists and OCSP were designed to notify clients of revoked certificates," said Ullrich. "However, these protocols haven't shown the scalability necessary to reliably notify clients of invalid certificates."

Indeed, revoking bad certificates typically required Windows administrators to manually tweak the Windows Untrusted Certificate Store, or else Microsoft had to push certificate updates via Windows Update. By comparison, "this new automatic updater will enable Certificate Authorities to report information about their revoked CA certificates to Microsoft and have them publicly untrusted in a much faster manner, as compared to propagating this information by using CRLs," according to a blog post from Microsoft's Kurt Hudson.

Some small infrastructure tweaks might be necessary to make the updater work in enterprise environments. In particular, any firewalls containing hardcoded URLs for Windows Update will need to see their settings edited to allow for the new disallowed and allowed CTLs. "As part of this update, the URLs that are used for contacting Windows Update to download the untrusted and trusted CTLs were changed. This could cause problems for enterprises that hardcode these URLs in their firewalls as exceptions," noted Microsoft.

Meanwhile, in other Microsoft-related security news, the company warned Tuesday of an unpatched vulnerability in Microsoft XML (MSXML) Core Services--now being actively exploited in the wild--that allows attackers to execute arbitrary code on a compromised PC. According to Microsoft's security advisory, "the vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user."

"MSXML provides a set of W3C-compliant XML APIs which allows users to use [JavaScript], VBScript, and Microsoft development tools to develop XML 1.0 standard applications," said Pavithra Hanchagaiah, a senior security researcher at Trend Micro, in a blog post.

"An attacker can craft ... websites to host a malicious Web page invoking affected MSXML APIs, which in turn accesses a COM object in memory that has not been initialized," Hanchagaiah said. "The vulnerability is exploited when a user opens these crafted Web pages using IE."

According to Microsoft, "an attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user," meaning that users with administrative-level access rights are more at risk from this type of attack. It said the likeliest attack vectors using this vulnerability would be phishing emails, or links sent via instant messages.

According to news reports, the attack has already been used to compromise multiple Gmail accounts. Google, meanwhile, appears to have begun warning people targeted by the exploit that "state-sponsored attackers may be attempting to compromise your account or computer."

The vulnerability affects all versions of Windows, as well as Microsoft Office versions 2003 SP3, 2007 SP2, and 2007 SP3. But Microsoft said that by default, Internet Explorer on Windows Server 2003, 2008, and 2008 R2 "runs in a restricted mode that is known as Enhanced Security Configuration," which would block the attack from working on those systems.

While no automatic patch is yet available, Microsoft said it's released a "fix it" solution.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.