Microsoft Warns That Flame Virus Exploits Windows Flaw

Monday in a blog, Mike Reavey, a senior director with Microsoft's Security Response Center, warned that the "Flame" malware which recently attacked systems across the Middle East exploits a flaw in Windows.

The good news is that Flame was used in highly sophisticated and targeted attacks, so the vast majority of Microsoft customers should not be at risk. Most antivirus products will now detect and remove this malware if detected, but Microsoft has also released a Security Advisory outlining steps customers need to take, and an update that automatically takes the steps for customers who don't want to take the manual route.

"We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft," Reavey reports. "We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft."

"Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft," he adds.

In addition to providing manual and automatic steps for blocking software signed by the unauthorized certificates, the Terminal Server Licensing Service no longer issues certificates that allow code to be signed. These three actions should help prevent other malware components using this method to no longer have the ability to appear as if they were produced by Microsoft.

That said, hackers may already be taking note of the techniques used by Flame and launch more widespread attacks with other viruses, relying on Microsoft customers who will ignore the Security Advisory and automatic update. It's also possible that systems are already infected thanks to the same Windows flaw and remain undetected by end-users. Reavey said that Microsoft continues to investigate the issue and will take any appropriate actions to help protect its customers.

News of the Flame virus surfaced last week. Researches said that technical evidence suggested it was built on behalf of the same nation(s) that commissioned the Stuxnet worm that attacked Iran's nuclear program back in 2010. Flame was able to install itself on computers by tricking Windows into believing it was a legitimate program from Microsoft, as Reavey's blog indicates.

UPDATE: Security firm Kaspersky Lab goes into great detail about Flame here.

  • A Bad Day
    On the bright side, looks like it might not hit a company (that will remained unnamed), that still uses Windows NT 4.

    Majority of major weaknesses in all software is the organic meatbag sitting at the computer, or deciding if he/she should give pay raises to the high ranking executives or give the cash-starved IT department some funding.
    Reply
  • amuffin
    Still not as many computers infected as that crapple catastrophe that happened a few weeks back.
    Reply
  • livebriand
    "Most antivirus products will now detect and remove this malware if detected"
    Huh?
    Reply
  • livebriand
    A Bad DayOn the bright side, looks like it might not hit a company (that will remained unnamed), that still uses Windows NT 4..WOW... I guess XP and IE6 really isn't that bad then.
    Reply
  • WR2
    Oh great.
    Reply
  • ahnilated
    and this is a prime reason why closed source OS's don't work.
    Reply
  • unksol
    "We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft."

    "Does that shuttle have a clearance code?"

    "It's an old code sir, but it checks out. I was about to clear them"
    Reply
  • proxy711
    ahnilatedand this is a prime reason why closed source OS's don't work.Ya because when everyone can see the code for a OS there's no way anyone will find any exploits. Such flawed logic.
    Reply
  • house70
    Virus made by US and Israeli govt. agencies. That means they did not need to crack anything, just go to the source (MS) and ask for the code for "national security" purposes. Betcha they did not even need a subpoena for that, just flash their badges.
    Of course, once the beans were spilled, they allowed MS to "patch" it, so it doesn't spread to the "good" guys.
    Right?
    Problem is, what goes around, comes around. I would be surprised NOT to find any stepchildren of this virus (and Stuxnet, a close relative) after a little while, wreaking havoc on people's PCs.
    Reply
  • A Bad Day
    ahnilatedand this is a prime reason why closed source OS's don't work.
    Then you have yet to be disillusioned by Android OS.
    Reply