Categories: SecurityWorkspace

Microsoft Issues Updates To Extinguish Flame And Other Flaws

Microsoft has issued a number of security patches to stamp out the Flame worm, and announced the contents of next week’s regular Patch Tuesday update – which includes three critical vulnerabilities.

The company explained earlier this week how Flame included a rare form of attack known as MD5 hash collision, which gave attackers the “Holy Grail” – the ability to forge certificates to dupe users into thinking they were running Microsoft software.

In the collision technique attackers took a legitimate Microsoft certificate using the MD5 specification for its hash and RSA-2048 encryption for its public key algorithm. They then created a similar certificate using the same MD5 hash. The RSA-2048 signature was then grafted onto the forged certificate to make it seem legitimate.

Flame thrower

“The issuing certificate authority used known validity periods and certificate serial numbers that could be predicted with high probability,” Microsoft said in a blog post. “Because of the predictable serial numbers, the attacker can perform a set of certificate enrollments that reveal the likely serial number when they perform their collision attack.”

The attackers also removed the critical Microsoft Hydra extension from the forged certificate. If they hadn’t removed this extension, the target’s system would not have validated the certificate or allowed the malicious software to load.

Microsoft has now invalidated all the related certificates to protect users. It has also released an out-of-band update to “harden” the Terminal Services Licensing server from which certificates are issued. Microsoft essentially eradicated any links to the certificates.

“We continue to encourage all customers who are not installing updates automatically to do so immediately,” it said.

Patch Tuesday

Meanwhile, Microsoft has posted seven bulletins addressing a total of 25 vulnerabilities for this month’s Patch Tuesday. Three bulletins have received a critical rating, with four ranked important.

There’s a fix for Internet Explorer (6,7,8,9 depending on Operating System) that includes fixes for an attack disclosed at the PWN2OWN contest in March.

“Most users should focus on bulletins 1-4, Windows and Office, together with the important security announcement from Microsoft regarding the abuse of a Microsoft certificate in the signing of the Flame malware. If you have not installed the update in Security Advisory 2718704 yet, you should plan on rolling it out as quickly as possible at least together with the other critical patches next week,” advised Qualys CTO Wolfgang Kandek.

Head here for the full advisory from Microsoft.

SUICIDE Mission?

Microsoft and the rest of the security community have been trying to decipher the Flame worm, figuring out what its various modules can do. Symantec discovered the operators of the worm had told a number of infected machines to eradicate all traces of Flame, effectively sending a suicide pill to the malware.

However, the command was not sent over the SUICIDE module, but over another called  browse32.ocx. “It is unknown why the malware authors decided not to use the SUICIDE functionality, and instead make Flamer perform explicit actions based on a new module,” Symantec said in a blog post.

Are you a security guru? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Elon Musk’s X Suffers Multiple Outages

Nation-state cyberattack? Elon Musk blames outages on Monday at X (formerly Twitter) on “massive cyberattack”

11 hours ago

Apple Confirms AI Improvements to Siri Delayed To 2026

More time required for Apple to improved the AI capabilities of the Siri voice assistant,…

12 hours ago

Siemens Confirms $285m Manufacturing Investment In US

German conglomerate Siemens confirms $285 million investment for manufacturing facilities in Texas and California

13 hours ago

IBM Wins Lawsuit Against LzLabs Over Mainframe Patents

Court ruling. Big Blue lawsuit filed in London had alleged IP theft of mainframe technology…

15 hours ago

Trump Says US Talking With Four Groups Over TikTok Sale

But what about Beijing? Donald Trump says administration in talks with four different groups about…

17 hours ago