Microsoft ‘Oversight’ Helped Flame Spread

An “oversight” by Microsoft back in 2009 helped Flame spread, as it allowed attackers to effectively create fake certificates for malicious Windows updates, according to a cryptographic expert.

Professor Ronald Cramer, head of the Cryptology Research Group at the Centrum Wiskunde & Informatica (CWI) in Amsterdam, told TechWeekEurope that whilst he was not blaming anyone for the spread of Flame, Microsoft was guilty of an “important oversight”.

Research from 2009 showed how hackers could exploit weaknesses to carry out what is known as an MD5 collision attack. Super-powered cyber-espionage tool Flame used a variant of this attack vector to spread.

Despite knowing about the 2009 research, Microsoft failed to stop MD5 hashes from being used in its Terminal Server Licensing server from which certificates were issued – something which Flame exploited, TechWeekEurope was told.

In the case of Flame’s MD5 collision attack, hackers took a legitimate Microsoft certificate using the MD5 specification for its hash and RSA-2048 encryption for its public key algorithm. They then created a similar certificate using the same MD5 hash. An RSA-2048 signature was then grafted onto the forged certificate to make it seem legitimate.

Flame’s operators used fake certificates to dupe users into downloading malicious software, which then helped the worm propagate.

Cramer versus Flamer

Cramer and co-cryptanalist Marc Stevens had been led to believe that the use of MD5-based signatures was killed off completely on 15 January 2009. However, Microsoft had not done so in its Terminal Server Licensing server.

This also meant that the attack method was open to anyone who knew about it since 2009.

“Microsoft overlooked a part of their system where they should have been blocking [MD5-based signatures], but it turned out not to have blocked them,” Cramer said. When asked whether Microsoft should have picked up on the issue in 2009, Cramer said “common sense would suggest that this is the case.”

Cramer believes that Flame may have used another attack vector to spread if it could not have used fake Microsoft certificates. “Perhaps Flame might have selected another delivery method. But it is obvious that had the MD5-based signatures been blocked to the whole required extent, then this wouldn’t have been the delivery method for Flame,” he added.

Cramer and Stevens’ analysis suggested that “world class cryptanalysis” was behind the creation of Flame. The worm’s operators used a “scientifically interesting” variation of methods that Stevens was responsible for highlighting in 2009.

“This is certainly not trivial,” Cramer added. “This would require world-class skill, understanding and inventiveness.”

At the time of publication, Microsoft had not responded to a request for comment. The company has hardened its certification system, killing off any traces of those signatures used by Flame.

Are you a security pro? Test yourself with our quiz!