Sign in with
Sign up | Sign in

Microsoft Warns That Flame Virus Exploits Windows Flaw

By - Source: Microsoft | B 22 comments

Last week's Flame virus was able to install itself thanks to a previously undisclosed flaw in Windows, Microsoft says.

Monday in a blog, Mike Reavey, a senior director with Microsoft's Security Response Center, warned that the "Flame" malware which recently attacked systems across the Middle East exploits a flaw in Windows.

The good news is that Flame was used in highly sophisticated and targeted attacks, so the vast majority of Microsoft customers should not be at risk. Most antivirus products will now detect and remove this malware if detected, but Microsoft has also released a Security Advisory outlining steps customers need to take, and an update that automatically takes the steps for customers who don't want to take the manual route.

"We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft," Reavey reports. "We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft."

"Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft," he adds.

In addition to providing manual and automatic steps for blocking software signed by the unauthorized certificates, the Terminal Server Licensing Service no longer issues certificates that allow code to be signed. These three actions should help prevent other malware components using this method to no longer have the ability to appear as if they were produced by Microsoft.

That said, hackers may already be taking note of the techniques used by Flame and launch more widespread attacks with other viruses, relying on Microsoft customers who will ignore the Security Advisory and automatic update. It's also possible that systems are already infected thanks to the same Windows flaw and remain undetected by end-users. Reavey said that Microsoft continues to investigate the issue and will take any appropriate actions to help protect its customers.

News of the Flame virus surfaced last week. Researches said that technical evidence suggested it was built on behalf of the same nation(s) that commissioned the Stuxnet worm that attacked Iran's nuclear program back in 2010. Flame was able to install itself on computers by tricking Windows into believing it was a legitimate program from Microsoft, as Reavey's blog indicates.

UPDATE: Security firm Kaspersky Lab goes into great detail about Flame here.

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 22 Hide
    unksol , June 4, 2012 11:45 PM
    Quote:
    "We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft."


    "Does that shuttle have a clearance code?"

    "It's an old code sir, but it checks out. I was about to clear them"
  • 15 Hide
    amuffin , June 4, 2012 11:10 PM
    Still not as many computers infected as that crapple catastrophe that happened a few weeks back.
Other Comments
  • 6 Hide
    A Bad Day , June 4, 2012 11:09 PM
    On the bright side, looks like it might not hit a company (that will remained unnamed), that still uses Windows NT 4.

    Majority of major weaknesses in all software is the organic meatbag sitting at the computer, or deciding if he/she should give pay raises to the high ranking executives or give the cash-starved IT department some funding.
  • Display all 22 comments.
  • 15 Hide
    amuffin , June 4, 2012 11:10 PM
    Still not as many computers infected as that crapple catastrophe that happened a few weeks back.
  • -6 Hide
    livebriand , June 4, 2012 11:17 PM
    "Most antivirus products will now detect and remove this malware if detected"
    Huh?
  • 2 Hide
    livebriand , June 4, 2012 11:18 PM
    A Bad DayOn the bright side, looks like it might not hit a company (that will remained unnamed), that still uses Windows NT 4..

    WOW... I guess XP and IE6 really isn't that bad then.
  • -4 Hide
    WR2 , June 4, 2012 11:30 PM
    Oh great.
  • 0 Hide
    ahnilated , June 4, 2012 11:40 PM
    and this is a prime reason why closed source OS's don't work.
  • 22 Hide
    unksol , June 4, 2012 11:45 PM
    Quote:
    "We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft."


    "Does that shuttle have a clearance code?"

    "It's an old code sir, but it checks out. I was about to clear them"
  • 5 Hide
    proxy711 , June 5, 2012 12:10 AM
    ahnilatedand this is a prime reason why closed source OS's don't work.

    Ya because when everyone can see the code for a OS there's no way anyone will find any exploits. Such flawed logic.
  • -4 Hide
    house70 , June 5, 2012 12:23 AM
    Virus made by US and Israeli govt. agencies. That means they did not need to crack anything, just go to the source (MS) and ask for the code for "national security" purposes. Betcha they did not even need a subpoena for that, just flash their badges.
    Of course, once the beans were spilled, they allowed MS to "patch" it, so it doesn't spread to the "good" guys.
    Right?
    Problem is, what goes around, comes around. I would be surprised NOT to find any stepchildren of this virus (and Stuxnet, a close relative) after a little while, wreaking havoc on people's PCs.
  • 3 Hide
    A Bad Day , June 5, 2012 12:24 AM
    ahnilatedand this is a prime reason why closed source OS's don't work.


    Then you have yet to be disillusioned by Android OS.
  • 4 Hide
    hawkwindeb , June 5, 2012 1:17 AM
    ahnilatedand this is a prime reason why closed source OS's don't work.


    A Bad DayThen you have yet to be disillusioned by Android OS.


    It's that a well run Open Source OS "should be" more secure than closed source and there are examples, Solaris, RedHat, etc. Well run as in reviewed by many security experts (real experts that is) and other OS experts, etc. Android OS is not one of these, so I agree with "A Bad Day"
  • -4 Hide
    jurassic512 , June 5, 2012 2:17 AM
    livebriandWOW... I guess XP and IE6 really isn't that bad then.


    Silly rabbit. If you clicked the Security Advisor link, you'd see XP SP3 IS affected. And oh yea, XP is NT 5.1 ;) 

    PS, stay away from tech sites if you can't read or be bothered to click on the links in the story.
  • 2 Hide
    Christopher1 , June 5, 2012 2:49 AM
    A Bad DayOn the bright side, looks like it might not hit a company (that will remained unnamed), that still uses Windows NT 4.Majority of major weaknesses in all software is the organic meatbag sitting at the computer, or deciding if he/she should give pay raises to the high ranking executives or give the cash-starved IT department some funding.


    Personally, I would rather those 'raises to executives' be voted on by law by the stockholders. If you cannot get a majority who are willing to give them raises, then these guys just have to stay with 10 million dollars+.
  • 0 Hide
    rds1220 , June 5, 2012 3:34 AM
    So I'm confused. How exactly is this virus infecting computer. Is it through emails or pretend updates from MS? Do you have to download something to get infected or is it just compleatly random?
  • 0 Hide
    CaedenV , June 5, 2012 3:41 AM
    hawkwindebIt's that a well run Open Source OS "should be" more secure than closed source and there are examples, Solaris, RedHat, etc. Well run as in reviewed by many security experts (real experts that is) and other OS experts, etc. Android OS is not one of these, so I agree with "A Bad Day"

    As if MS, Apple, and Google do not have both in-house talent, or hire people to do such work? If it is open source it is mostly safe for the same reason that OS9/X were safe for so long; Not because they are necessarily secure, but because the people targeted simply do not use the systems.
    Most attacks are in order to gain personal information for ID theft, most people who do not care about ID theft are in the general public, and the general public uses Windows. Therefore Windows is the most attached OS in the world.
    Macs have traditionally been either for work machines (audio/video/photo work, or school lab PCs) with little personal information, or are owned by people who have wealth, and know how to protect that wealth, so there was little point to attacking such machines. Now macs (and more specifically mac devices) are used more and more by the general public... and what do you know... exploits are coming out.
    Linux/unix kernel is quite secure, which makes it excellent for storing large amounts of sensitive information, but as a home system, the security is only as good as the software that runs on the machine which can be infected. Specifically the web browser, store, and music apps that may have a store. Again, small population, so there is little reason for hackers to really go there, but if it was really used, people would find a way in.

    The only truly secure machine is the one that is turned off and locked away. When in use there is no amount of security that can make up for stupidity.
  • -1 Hide
    CaedenV , June 5, 2012 3:49 AM
    ... think of it another way; If someone has a lunux machine, or if a business or gov't agency uses something out of the ordinary for the sake of security measures, then it does not matter what the security level really is. What matters is that people who use such systems are typically more educated, and are more likely to hunt a person down to retaliate in one way or another. The average user of Windows, OSX, iOS, or Android will simply call their credit card or insurance company, who will normally just revoke the fees, and will not put much effort into prosecution unless the problem is large enough to bother with.
  • 0 Hide
    ahnilated , June 5, 2012 1:21 PM
    Proxy711Ya because when everyone can see the code for a OS there's no way anyone will find any exploits. Such flawed logic.


    When the are tons of eyes on it exploits are found much quicker and patched quicker. With no one knowing about it, IE Microsofts stuff, they have no reason to patch it unless they "feel" it is an issue. There are numerous report out there about security companies letting Microsoft know about security issues and they don't fix them because they don't "feel" it is an issue. Well I am sorry but if there is a security flaw found they ALL should be fixed.

    And if you want to talk about Linux, I have had my Linux system on the web for the last 21 yrs and never had a virus. I put my Windows system on the web for under 30 seconds and had a virus. Which do you think is more secure?
  • -2 Hide
    eddieroolz , June 5, 2012 2:50 PM
    john_4Just another reason to run OS X or Linux


    And lock yourself out of what the software world has to offer.

    No thanks.
  • 3 Hide
    curiosul , June 5, 2012 3:06 PM
    unksol"Does that shuttle have a clearance code?" "It's an old code sir, but it checks out. I was about to clear them"


    Best comment of the day. Period.
  • 1 Hide
    mihaimm , June 5, 2012 3:26 PM
    Quote:
    If it is open source it is mostly safe for the same reason that OS9/X were safe for so long; Not because they are necessarily secure, but because the people targeted simply do not use the systems.
    If you believe attacks are limited to identity theft and personal spying then you really are not thinking right about security. The real money are in the industrial spying business where you manage to penetrate your competition servers and get their secrets or in the other spying business (http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/).
    Apple and MS most certainly have the money to hire the right people. But they also have marketing, investors, deadlines and so on. When you announce Win8 on that date, you simply can't move it. There are millions of disks to be manufactured, user manuals, etc. Can Microsoft live with an unfixed vulnerability that they are aware of for at least 6 months? (Google "Windows 7 UAC code-injection vulnerability" for the answer). Can Apple ignore antivirus companies and refuse to do what they want? Yes... they can.

    What happens to the security of the Linux kernel? It get's scrutinized by thousands of developers and some companies like... Canonical, SuSE, RedHat, Google, IBM, Oracle, Mandriva, Intel... and others. Because they can (open source software). And they care (selling products using Linux). They do have deadlines but they rarely care if they miss them. Because they generally have an incremental development process.
Display more comments