Emergency Bulletin – Out-Of-Band Patch: Microsoft Security Advisory (2718704)
Microsoft Security Advisory (2718704)
Unauthorized Digital Certificates Could Allow Spoofing
Published: Sunday, June 03, 2012
Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.
Microsoft is providing an update for all supported releases of Microsoft Windows. The update revokes the trust of the following intermediate CA certificates:
- Microsoft Enforced Licensing Intermediate PCA (2 certificates)
- Microsoft Enforced Licensing Registration Authority CA (SHA1)
Affected Software and Devices
This advisory discusses the following affected software and devices:
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Mobile 6.x
Windows Phone 7
Windows Phone 7.5
For supported releases of Microsoft Windows, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information, see the Suggested Actions section of this advisory. For affected devices, no update is available at this time.
TechNet Blogs > MSRC > Microsoft releases Security Advisory 2718704
We recently became aware of a complex piece of targeted malware known as “Flame” and immediately began examining the issue. As many reports assert, Flame has been used in highly sophisticated and targeted attacks and, as a result, the vast majority of customers are not at risk. Additionally, most antivirus products will detect and remove this malware. That said, our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks. Therefore, to help protect both targeted customers and those that may be at risk in the future, we are sharing our discoveries and taking steps to mitigate the risk to customers.
We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.
We are taking several steps to remove this risk:
• First, today we released a Security Advisory outlining steps our customers can take to block software signed by these unauthorized certificates.
• Second, we released an update that automatically takes this step for our customers.
• Third, the Terminal Server Licensing Service no longer issues certificates that allow code to be signed.
These actions will help ensure that any malware components that might have been produced by attackers using this method no longer have the ability to appear as if they were produced by Microsoft.
We continue to investigate this issue and will take any appropriate actions to help protect customers. For more information, please refer back to this site and check with your anti-malware vendor for detection support.
Senior Director, MSRC
June 4, 2012 - Posted by Smokey | Advisories, Alerts, Malware, Vulnerabilities | Duqu, Emergency Bulletin, Flame, Microsoft Certificate Authority, Microsoft Enforced Licensing Intermediate PCA (2 certificates), Microsoft Enforced Licensing Registration Authority CA (SHA1), Microsoft Security Advisory (2718704), Microsoft Security Response Center (MSRC), Out-Of-Band Patch, revoked certificates, Stuxnet, targeted cyber-attack, TechNet Blogs, Unauthorized Digital Certificates
No comments yet.
Text from the song Spark by Amy Macdonald
I am the light in the dark
I am the march
I am the spark
Just dry your tears and I’ll be there
Don’t live for anger all this pain
Don’t worry, I’m ok, I’m ok now
Always in our hearts – R.I.P. Donna Buenaventura
Welcome to Smokey’s Security Weblog!
Let’s introduce myself: my (nick)name is Smokey aka Smokey Bear.
Like my board Smokey’s Security Forums, this blog is mainly devoted to Security and all related issues. However, other issues like e.g. major occurances on my forum and social topics will be blogged too.
My board offer free security and malware related Support, Help, Advice and Education forums, however is not limited to such issues. Smokey’s have also forums with comprehensive Microsoft Windows related issues like Microsoft and Windows OS Based Products News, MS Download Center, MSDN Developer Information, software reviews, browser and tools forums, Webware, Social Networks info, Hardware- and Gadgets forums and last but not least a dedicated Windows Drivers, Linux Drivers, Firmware and BIOS Survey & Updates section containing (recently) released Drivers, Firmware and BIOSses, Windows 7 releases included. Note: most info on Smokey’s is real-time and therefore always up-to-date.
As extra service we have a OTL (formerly OTListIt2) Log Analyzing and Malware Removal/Cleaning Help Forum, full qualified OTL Log Analysers/Malware Hunters will be pleased to help you for free to clean your malware infected PC.
Smokey’s host and maintain the Official Jetico Inc. Support Forums, including the following products:
– Jetico Personal Firewall V1
– Jetico Personal Firewall V2
– Jetico BestCrypt for Windows
– Jetico BestCrypt for Linux
– Jetico BestCrypt for Mac
– Jetico BestCrypt Volume Encryption
– Jetico BCArchive
– Jetico BCWipe for Windows
– Jetico BCWipe for UNIX
Disclaimer: information in this blog can be based on (not confirmed) statements of (anonymous) sources, Smokey’s Security Weblog don’t take any responsabilty for the credibility of these sources and their statements. Also, statements and opinions expressed in articles, reviews and other materials herein, reproduced by me, are those of the authors.
The posts/articles in this blog can be supplemented with so called “Possibly related posts” links. Because these links are automatically generated by WordPress.com, Smokey’s Security Weblog have no influence on the links itself and/or content of them. Therefore this Weblog don’t take any responsability for these links and all related issues.
About Copyright and this Blog: it is allowed to reproduce (parts of) posts in this blog if this reproduction is provided with a direct link to the original blog post. It is NOT allowed to copy, use and/or reproduce any image or blog banner.
Blog comments policy: to restrain indecent and off-topic comments and spam, comments are reviewed before publishing. Therefore, delay in comment publishing is unavoidable. Obligatory language of comments is English.
My main task
* Smokey’s Choice Awards *
** Smokey’s Hall of Shame **
Recommended: Free network protection with OpenDNS
Recommended: F-Secure PC Health Check
Recommended: Dr.Web CureIt! Free Malware Scan
Recommended: Kaspersky Online Antivirus Scan
Recommended: Online Safe Password Generator
Weblog Top Posts
- How to enable LTE/4G on Samsung Galaxy Note 3 (SM-N9005)
- Norton Internet Security v18.104.22.168 (patch 22.5.4) update released in all supported languages
- Review Updated 2015 MateGo MG380G Full HD - SONY CMOS sensor - built-in-GPS Dashcam Car DVR
- How to recover a really dead Windows XP (SP2/SP3) TCP/IP stack
- Microsoft released emergency out-of-band update fixing IE zero day vulnerability
Weblog Top Clicks
- shilpa on How to enable LTE/4G on Samsung Galaxy Note 3 (SM-N9005)
- Aravind on How to enable LTE/4G on Samsung Galaxy Note 3 (SM-N9005)
- Rajiv Bhalla on How to enable LTE/4G on Samsung Galaxy Note 3 (SM-N9005)
- POOJA AGARWAL on How to enable LTE/4G on Samsung Galaxy Note 3 (SM-N9005)
- Antony on Review Updated 2015 MateGo MG380G Full HD – SONY CMOS sensor – built-in-GPS Dashcam Car DVR
- January 2016 (1)
- October 2015 (1)
- June 2015 (1)
- May 2015 (1)
- March 2015 (2)
- June 2014 (1)
- May 2014 (1)
- April 2014 (1)
- March 2014 (1)
- August 2013 (1)
- May 2013 (1)
- January 2013 (4)
- December 2012 (1)
- August 2012 (1)
- July 2012 (1)
- June 2012 (1)
- February 2012 (2)
- December 2011 (2)
- October 2011 (2)
- May 2011 (3)
- April 2011 (2)
- December 2010 (5)
- September 2010 (1)
- August 2010 (2)
- July 2010 (1)
- June 2010 (1)
- May 2010 (1)
- April 2010 (2)
- March 2010 (2)
- February 2010 (2)
- January 2010 (3)
- December 2009 (7)
- November 2009 (5)
- October 2009 (2)
- September 2009 (1)
- August 2009 (3)
- July 2009 (3)
- June 2009 (2)
- May 2009 (10)
- April 2009 (6)
- March 2009 (2)
- February 2009 (3)
- January 2009 (7)
- December 2008 (14)
- November 2008 (13)
- October 2008 (8)
- September 2008 (7)
- August 2008 (12)
- July 2008 (14)
- June 2008 (13)
- May 2008 (10)
- April 2008 (31)
- March 2008 (21)
Smokey’s is Friend of WOT – Web of Trust
Keywords Smokey's Security Weblog
Smokey’s Weblog Google FeedBurner
Smokey’s Weblog Email Subscription Request
Add Smokey’s Weblog to your Technorati Favorites
- GFI OneGuard (Beta) introduces a new view on system administration December 6, 2016
- GFI OneConnect Beta brings advanced protection and email continuity November 15, 2016
- Great improvements for even greater GFI Support October 6, 2016
- GFI Prime Brings More Value to Customers by Providing Additional Products and Value for Free September 1, 2016
- WMF Vulnerability checker January 2, 2006
- Updated version of Ilfak Guilfanov’s WMF patch January 1, 2006
- WMF files that currently bypass all detections January 1, 2006
- New WMF exploit confirmed in spam attacks January 1, 2006
- What’s with all the bandwidth? Ah — silly putty! December 31, 2005
- Computer History Museum assembling histories of companies December 31, 2005
- An error has occurred; the feed is probably down. Try again later.
Giveaway of the Day: commercial software for FREE
Advertisement: Link Logger from Binary Visons
Your IP and location
Blog Visitor Statistics
Site infoSmokey's Security Weblog
Blog at WordPress.com.