Microsoft Issues Updates To Extinguish Flame And Other Flaws

Microsoft has issued a number of security patches to stamp out the Flame worm, and announced the contents of next week’s regular Patch Tuesday update – which includes three critical vulnerabilities.

The company explained earlier this week how Flame included a rare form of attack known as MD5 hash collision, which gave attackers the “Holy Grail” – the ability to forge certificates to dupe users into thinking they were running Microsoft software.

In the collision technique attackers took a legitimate Microsoft certificate using the MD5 specification for its hash and RSA-2048 encryption for its public key algorithm. They then created a similar certificate using the same MD5 hash. The RSA-2048 signature was then grafted onto the forged certificate to make it seem legitimate.

Flame thrower

“The issuing certificate authority used known validity periods and certificate serial numbers that could be predicted with high probability,” Microsoft said in a blog post. “Because of the predictable serial numbers, the attacker can perform a set of certificate enrollments that reveal the likely serial number when they perform their collision attack.”

The attackers also removed the critical Microsoft Hydra extension from the forged certificate. If they hadn’t removed this extension, the target’s system would not have validated the certificate or allowed the malicious software to load.

Microsoft has now invalidated all the related certificates to protect users. It has also released an out-of-band update to “harden” the Terminal Services Licensing server from which certificates are issued. Microsoft essentially eradicated any links to the certificates.

“We continue to encourage all customers who are not installing updates automatically to do so immediately,” it said.

Patch Tuesday

Meanwhile, Microsoft has posted seven bulletins addressing a total of 25 vulnerabilities for this month’s Patch Tuesday. Three bulletins have received a critical rating, with four ranked important.

There’s a fix for Internet Explorer (6,7,8,9 depending on Operating System) that includes fixes for an attack disclosed at the PWN2OWN contest in March.

“Most users should focus on bulletins 1-4, Windows and Office, together with the important security announcement from Microsoft regarding the abuse of a Microsoft certificate in the signing of the Flame malware. If you have not installed the update in Security Advisory 2718704 yet, you should plan on rolling it out as quickly as possible at least together with the other critical patches next week,” advised Qualys CTO Wolfgang Kandek.

Head here for the full advisory from Microsoft.

SUICIDE Mission?

Microsoft and the rest of the security community have been trying to decipher the Flame worm, figuring out what its various modules can do. Symantec discovered the operators of the worm had told a number of infected machines to eradicate all traces of Flame, effectively sending a suicide pill to the malware.

However, the command was not sent over the SUICIDE module, but over another called  browse32.ocx. “It is unknown why the malware authors decided not to use the SUICIDE functionality, and instead make Flamer perform explicit actions based on a new module,” Symantec said in a blog post.

Are you a security guru? Try our quiz!