Hardening Windows Update is Microsoft's next step in mitigating Flame and Flame-inspired attacks after the emergency patch for Windows issued yesterday by the software giant that revokes phony digital certificates used in the Flame targeted cyberespionage attacks.
[ Mostly overshadowed by this week's discovery of Flame, the massive cyberespionage toolkit, was how Iran's Computer Emergency Response Team (CERT) took an unprecedented lead role in disseminating information on the infection worldwide and released a removal tool. See Iranian CERT Takes Center Stage With Flame. ]
Mike Reavey, senior director of the Microsoft Security Response Team, called Security Advisory 2718704 the first of several steps in "a phased mitigation strategy" to prevent further attacks from unauthorized Microsoft digital certificates. The patch basically killed the certs used by Flame and was just the first step the software giant is taking to snuff out copycat attacks.
"Our firm guidance is that customers should apply the update as soon as possible for one simple reason: the fact that malware can be created by attackers and made to look like it is from Microsoft would result in the malware being installed. Removing these certificates is the best first step and the update released yesterday prevents these unauthorized certificates from being used to attack systems running Windows software," Reavey said in a blog post late yesterday.
He also revealed that Flame waged a collision attack against Microsoft Terminal Services' encryption algorithm, but noted that attackers still could falsely sign code without performing a collision attack. "This is an avenue for compromise that may be used by additional attackers on customers not originally the focus of the Flame malware," Reavey said. "In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack."
Reavey didn't provide details on the update to Windows Update, but said that Microsoft will "harden" Windows Update to better protect against this type of attack. It will hold off on issuing any changes to Windows Update until after users have applied the new patch.
Meanwhile, endpoint security firm Bit9 says its whitelisting technology identified and stopped Flame multiple times at a customer's site in the Middle East. The attack went on for several months, starting in October 2011 through April of this year, and Bit9 has confirmed it was Flame now that details have been revealed about the cyberespionage campaign.
The attack specifically targeted one machine at the organization -- which Bit9 declined to name -- and, at one point, tried to attack a vulnerability in Windows 10 days in a row, between 5:54 a.m. and 6:03 a.m., local time.
The targeted organization was definitely in the crosshair of the Flame attackers, he says. "I don't think this was an inadvertent attack at all ... It was very targeted to one machine over an extended period of time at a specific time of day," says Harry Sverdlove, CTO at Bit9.
Flame never got to actually drop its payload on the targeted machine and set up a connection to the command-and-control infrastructure in the attack attempt, however, he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.