Microsoft issues update to protect businesses from Flame malware

Businesses should install a Microsoft security update to avoid being duped by exploited certificates that were used as part of the Flame malware attack against targeted Iranian computer networks.

The update fixes a vulnerability in Microsoft‘s Terminal ServerLicensing Service that allowed signing of software with certificates asif it were code originating from Microsoft, the company said in a blogpost.

Thepost, written by Mike Reavey, the senior director ofMicrosoft Trustworthy Computing, says an older cryptography algorithmproved exploitable and could be used to sign malicious code to certifythat it came from Microsoft.

Terminal Services Licensing Service provided certificates that werepermitted to sign code as if it came from Microsoft, the blog says. Thecertificates were intended to authorize Remote Desktop servicessecurely.

The company issued a securityadvisory about how to correct the problem, and recommendsthat customers apply the update using update management software orMicrosoft Update service.

“The update revokes the trust of the following intermediate[certificate authority] certificates: Microsoft Enforced LicensingIntermediate PCA (2 certificates), Microsoft Enforced LicensingRegistration Authority CA (SHA1),” the advisory says.

An intermediate CA is a certificate authority that doesn’t have thetrust of the device it is connecting to, but it does have the trust ofa root CA that the device does trust. Chains of intermediate CAs canlead back to a trusted root CA, and devices attempt to follow thosechains to establish authenticity of certificates.

Weaknesses in this chain-of-trust system have were exploited repeatedlylast year against SSL certificates used by browsersto authenticatewebsites. This led to repeated calls for a new authentication system.

Tim Greene coversMicrosoft for Network World and writes the Mostly Microsoft blog. Reachhim at and follow him on Twitter @Tim_Greene.

Share on LinkedIn Share with Google+