Monday in a blog, Mike Reavey, a senior director with Microsoft's Security Response Center, warned that the "Flame" malware which recently attacked systems across the Middle East exploits a flaw in Windows.
The good news is that Flame was used in highly sophisticated and targeted attacks, so the vast majority of Microsoft customers should not be at risk. Most antivirus products will now detect and remove this malware if detected, but Microsoft has also released a Security Advisory outlining steps customers need to take, and an update that automatically takes the steps for customers who don't want to take the manual route.
"We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft," Reavey reports. "We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft."
"Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft," he adds.
In addition to providing manual and automatic steps for blocking software signed by the unauthorized certificates, the Terminal Server Licensing Service no longer issues certificates that allow code to be signed. These three actions should help prevent other malware components using this method to no longer have the ability to appear as if they were produced by Microsoft.
That said, hackers may already be taking note of the techniques used by Flame and launch more widespread attacks with other viruses, relying on Microsoft customers who will ignore the Security Advisory and automatic update. It's also possible that systems are already infected thanks to the same Windows flaw and remain undetected by end-users. Reavey said that Microsoft continues to investigate the issue and will take any appropriate actions to help protect its customers.
News of the Flame virus surfaced last week. Researches said that technical evidence suggested it was built on behalf of the same nation(s) that commissioned the Stuxnet worm that attacked Iran's nuclear program back in 2010. Flame was able to install itself on computers by tricking Windows into believing it was a legitimate program from Microsoft, as Reavey's blog indicates.
UPDATE: Security firm Kaspersky Lab goes into great detail about Flame here.