Today is Tuesday for me, but it's not "second Tuesday," so it shouldn't be
patch Tuesday. But today my little netbook, which is set just to inform me
when updates are available, informed me that it had updated, but I needed to
reboot to complete the task, and, if I didn't do anything in the next little
while it was going to reboot anyway.
Yesterday, of course, wasn't patch Tuesday, but all my machines set to "go
ahead and update" all wanted to update on shutdown last night.
This is, of course, because of Flame (aka Flamer, aka sKyWIper) has an
"infection" module that messes with Windows/Microsoft Update. As I understand
it, there is some weakness in the update process itself, but the major problem
is that Flame "contains" and uses a fake Microsoft digital certificate.
You can get some, but not very much, information about this from Microsoft's
Security Response Center blog:
http://blogs.technet.com/b/msrc/
http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx
http://blogs.technet.com/b/msrc/archive/2012/06/04/security-advisory-2718704-update-to-phased-mitigation-strategy.aspx
You can get more detailed information from F-Secure:
http://www.f-secure.com/weblog/archives/2377.html
It's easy to see that Microsoft is extremely concerned about this situation.
Not necessarily because of Flame: Flame uses pretty old technology, only
targets a select subset of systems, and doesn't even run on Win7 64-bit. But
the fake cert could be a major issue. Once that cert is out in the open it can
be used not only for Windows Update, but for "validating" all kinds of malware.
And, even though Flame only targets certain systems, and seems to be limited
in geographic extent, I have pretty much no confidence at all that the blackhat
community hasn't already got copies of it. (The cert doesn't necessarily
*have* to be contained in the Flame codebase, but the structure of the attack
seems to imply that it is.) So, the only safe bet is that the cert is "in the
wild," and can be used at any time.
(Just before I go on with this, I might say that the authors of Flame, whoever
they may be, did no particularly bad thing in packaging up a bunch of old
trojans into one massive kit. But putting that fake cert out there was simply
asking for trouble, and it's kind of amazing that it hasn't been used in an
attack beofre now.)
The first thing Microsoft is doing is patching MS software so that it doesn't
trust that particular cert. They aren't giving away a lot of detail, but I
imagine that much midnight oil is being burned in Redmond redoing the
validation process so that a fake cert is harder to use. Stay tuned to your
Windows Update channel for further developments.
However, in all of this, one has to wonder where the fake cert came from. It
is, of course, always possible to simply brute force a digital signature,
particularly if you have a ton of validated MS software, and a supercomputer
(or a huge botnet), and mount a birthday (collision) attack. (And everyone is
assuming that the authors of Flame have access to the resources of a
nation-state. Or two ...) Now the easier way is simply to walk into the cert
authority and ask for a couple of Microsoft certs. (Which someone did one
time. And got away with it.)
But then, I was thinking. In the not too distant past, we had a whole bunch of
APT attacks (APT being an acronym standing for "we were lazy about our
security, but it really isn't our fault because these attackers didn't play
fair!") on cert authorities. And the attacks got away with a bunch of valid
certs.
OK, we think Flame is possibly as much a five years in the wild, and almost
certainly two years. But it is also likely that there were updates during the
period in the wild, so it's hard to say, right off the top, which parts of it
were out there for how long.
And I just kind of wonder ...
==
rsl...@computercrime.org sl...@victoria.tc.ca rsl...@vcn.bc.ca
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
Security Dict.: [Base URL]secgloss.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
Review mailing list: send mail to techbooks-subscr...@egroups.com
http://blogs.securiteam.com/index.php/archives/author/p1/
http://blog.isc2.org/isc2_blog/slade/index.html http://twitter.com/rslade
___
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.