'Flame' Exploits vulnerability in Windows Update
According to threat analysis done on the recent 'Flame' malware the source for the vulnerability was a two-part scheme that allowed Windows Updates to be hijacked via MITM - Man in the Middle attacks.
The first prong of the attack used a flaw found in an algorithm used for Remote Desktop. This allowed them to generate a Certificate that is technically valid; this certificate was then used to sign the code.
From Microsoft Security Response Center Senior Director Mike Reavey:
“We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,”
According to Andrew Storms of nCircle, this discovery lends significant credence to the theory that this malware is the direct result of espionage being conducted between nation states.
“The discovery of a bug that’s been used to circumvent Microsoft’s secure code certificate hierarchy is a major breach of trust, and it’s a big deal for every Microsoft user. It also underscores the delicate and the problematic nature of the trust models behind every Internet transaction.”
Rest assured though, as Microsoft has stated that this capability is no longer present in Terminal Server Licensing Server.
The second part of the attack was a MITM attack which uses a WPAD announcement to configure browsers to use the server as a proxy. This would only be possible on machines that have 'Automatically Detect Settings" enabled.
Once the machine is configured to use the infected server as a proxy it simply waits for a request for Windows Updates. It then sends out an update that is signed by the generated certificate which allows the software to be executed, because all software from Microsoft is safe right! The installed software will then download and install the full malware. According a CNN article the malware came with a series of modules that allowed it do things such as monitor inboxes, take screen shots or even use Bluetooth to infect other nearby devices.
Wait a tick....
The part that really worries me comes from this excerpt:
"It’s a scenario security researchers have long worried about, a man-in-the-middle attack that allows someone to impersonate Microsoft Update to deliver malware — disguised as legitimate Microsoft code — to unsuspecting users.(Wired, 2012)"AND
"We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft (Reavey, 2012)."To me, these two statements, though admittedly from different individuals, makes me wonder if this was something that was conveniently over looked....
Thoughts?
No comments:
Post a Comment