The memory corruption flaw in Microsoft's XML Code Services allows remote code execution via Internet Explorer if a user visits a rigged Web page; Microsoft is urging users to apply the FixIt for now until it comes up with a permanent patch. Google spotted targeted attacks exploiting the vulnerability and reported it to Microsoft, which confirmed that the flaw is being exploited in the wild in targeted attacks.
"Over the past two weeks, Microsoft has been responsive to the issue and has been working with us. These attacks are being distributed both via malicious web pages intended for Internet Explorer users and through Office documents," said Andrew Lyons, security engineer for Google, in a blog post. "We strongly recommend Internet Explorer and Microsoft Office users immediately install the Fix it while Microsoft develops and publishes a final fix as part of a future advisory."
According to a report by ZDNet, nation-state sponsored attackers used the attack to hijack Gmail accounts. Sources reportedly told ZDNet that it was those attacks that led to Google's recent warning about state-sponsored attackers.
Meanwhile, in response to Flame, Microsoft has also issued an automatic updater for Vista and Windows 7 that lets the OS detect phony or untrusted certificates. "With this new feature, Windows will check daily for updated information about certificates that are no longer trustworthy. In the past, movement of certificates to the untrusted store required a manual update," said Angela Gunn, of Microsoft's Trustworthy Computing Group.
The new approach will be more timely than key revocation lists and OCSP, security experts say.
Flame preyed on weak encryption in Microsoft's Terminal Services -- specifically an older cryptographic algorithm used in Microsoft's Terminal Server Licensing Service, which lets enterprises enable Remote Desktop services. Microsoft issued an update this month to kill the rogue certs and also halted issuing certificates for code-signing through Terminal Services.
As of August, Microsoft will no longer support RSA keys of less than 1024 bits for certificates, the software giant said this week. "Adding to our defense-in-depth measures, in August, we will release a change to how Windows manages certificates that have RSA keys of less than 1024 bits in length. Once this key length update is released, we will treat all of these certificates as invalid, even if they are currently valid and signed by a trusted certificate authority," said Kurt Hudson, in a blog post. A software update in August will block crypto keys of less than 1024 bits, he said.
Marc Maiffret, CTO for BeyondTrust and co-founder of eEye Digital Security, says the Windows Updater is in response to Flame as well as other certificate threats. "This is, of course, in reaction to the recent Flame malware and its certificate forging, and then, of course, all the previous CA attacks, stolen certs, and related that were used in a variety of malware from high profile attacks over the last couple of years," Maiffret says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.