Smokey's Security Weblog

veritas odium parit

Emergency Bulletin – Out-Of-Band Patch: Microsoft Security Advisory (2718704)

Microsoft Security Advisory (2718704)
Unauthorized Digital Certificates Could Allow Spoofing

http://technet.microsoft.com/en-us/security/advisory/2718704

Published: Sunday, June 03, 2012

Version: 1.0

General Information

Executive Summary

Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

Microsoft is providing an update for all supported releases of Microsoft Windows. The update revokes the trust of the following intermediate CA certificates:

  • Microsoft Enforced Licensing Intermediate PCA (2 certificates)
  • Microsoft Enforced Licensing Registration Authority CA (SHA1)

Affected Software and Devices

This advisory discusses the following affected software and devices:

Operating System

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Server Core installation option

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Affected Devices

Windows Mobile 6.x
Windows Phone 7
Windows Phone 7.5

Recommendation

For supported releases of Microsoft Windows, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information, see the Suggested Actions section of this advisory. For affected devices, no update is available at this time.

TechNet Blogs > MSRC > Microsoft releases Security Advisory 2718704

http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx

We recently became aware of a complex piece of targeted malware known as “Flame” and immediately began examining the issue. As many reports assert, Flame has been used in highly sophisticated and targeted attacks and, as a result, the vast majority of customers are not at risk. Additionally, most antivirus products will detect and remove this malware. That said, our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks. Therefore, to help protect both targeted customers and those that may be at risk in the future, we are sharing our discoveries and taking steps to mitigate the risk to customers.

We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.

We are taking several steps to remove this risk:

• First, today we released a Security Advisory outlining steps our customers can take to block software signed by these unauthorized certificates.

• Second, we released an update that automatically takes this step for our customers.

• Third, the Terminal Server Licensing Service no longer issues certificates that allow code to be signed.

These actions will help ensure that any malware components that might have been produced by attackers using this method no longer have the ability to appear as if they were produced by Microsoft.

We continue to investigate this issue and will take any appropriate actions to help protect customers. For more information, please refer back to this site and check with your anti-malware vendor for detection support.

Mike Reavey
Senior Director, MSRC

June 4, 2012 Posted by | Advisories, Alerts, Malware, Vulnerabilities | , , , , , , , , , , , , , | Leave a comment