Security

Flame malware targets Microsoft Update system: Patch now

Microsoft released a security alert and patch due to the disturbing news that the hugely complex Flame malware has spoofed MS-signed certificates, potentially making Microsoft Update a malware delivery mechanism. Yikes and double yikes.

In what security researcher Mikko Hypponen calls the "Holy Grail" of malware writers, the massive and complex Flame malware, linked to state-sponsored espionage and information-gathering, has managed to spoof Microsoft-signed digital certificates, creating the potential for man-in-the-middle attacks on the Microsoft Update system.

Clearly, as Hypponen points out, successfully exploiting this vast delivery mechanism for malware could be disastrous. If the Flame module successfully performs a man-in-the-middle attack, it drops a file called  WUSETUPV.EXE on to the target computer. As of now, however, Hypponen says, "...It has not been used in large-scale attacks. Most likely this function was used to spread further inside an organization or to drop the initial infection on a specific system."

Microsoft's warning and patch are located on its support page. The full Technet Security Advisory is linked here:

Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

Microsoft is providing an update for all supported releases of Microsoft Windows. The update revokes the trust of the following intermediate CA certificates:

  • Microsoft Enforced Licensing Intermediate PCA (2 certificates)
  • Microsoft Enforced Licensing Registration Authority CA (SHA1)

The investigation into the incident is ongoing, but the main takeaway for now is to patch immediately!

About

Selena has been at TechRepublic since 2002. She is currently a Senior Editor with a background in technical writing, editing, and research. She edits Data Center, Linux and Open Source, Apple in the Enterprise, The Enterprise Cloud, Web Designer, and...

22 comments
VytautasB
VytautasB

Thought for many years that getting into the windows update mechanism would be one of the best ways to do the most harm and mischief to the most computers at one shot.

bburgess66
bburgess66

The reason Windows is hit more, is because it is used more. Hopelessness removed with attitudes removed.

kevlar700
kevlar700

Just went to download the patch on my Linux box. They request windows validation to download it. I presume the code I last got has timed out and I could go to the trouble of getting a new one, but how wrong. I don't use Windows online but I considered methods of getting it for my sister and for offline machines. Microsoft say security patches will be provided even to known pirate copies for the protection of all users from bots but I've also found friends non WGA systems that needed big kicks to get them to update. To the comment about not targeting wndows update, the linked article says this. "The full mechanism isn't yet completely analyzed, but Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update or Windows Server Update Services (WSUS) system"

kathe
kathe

Nice to know MS knows its there now. Too bad I wasn't protected before the update, because I updated but I have WUSETUPV.EXE in my registry. And MS has no solution available at this time.

swmace
swmace

The malware doesn't actually "target" Windows Update, otherwise the idea of patching one's Windows computer through Windows Update would be absurd. How would you know whether you were installing the real patch or an infected file? From what I've read on ZDNet as well as the Kaspersky Labs site, there is not a single shred of evidence that this has "targeted" Windows Update. It uses the TS Licensing certificate to sign its own software so that it doesn't get stopped by Windows built-in protections against installing unsigned software. Please change the headline unless you have evidence that this has been used (or even can be used) as a MITM attack on Windows Update. Does FUD know no bounds?

IanDSamson
IanDSamson

After downloading & running the Authenticity Check, then downloading and installing the "patch", a message appeared saying the patch did not apply to my operating system. Geez! Typical Micro$oft!

danbi
danbi

Years ago, when Microsoft started signing code and letting "Microsoft certified" software run on Windows without any indication of doing so, will full privileges -- few security experts warned that this is going to be disaster. Now, certificates have leaked. What is more, it became apparent, that certificates intended for server identification ended up being trusted for code signing. So much about "trustworthy computing". Then, recently there was news about hackers compromising Microsoft systems and doing nobody knows what. They might well have modified Windows Update and it has not delivered the next backdoor. If you do not view Windows itself as the backdoor, that is.

JohnMcGrew
JohnMcGrew

...if and/or when the Microsoft Update mechanism would be compromised. What better way to infect the best-protected computers and users.

daniel.bizon
daniel.bizon

Installed it immediately. Better safe than sorry...

James-SantaBarbara
James-SantaBarbara

No documented use in the wild so far. Most likely and could be are just plainly theoretical. Not the first time certificates have been misused and revoked.Microsoft seems to have reacted swiftly with an out-of-calendar security patch...unlike some other players that wait months and months and months.

GrizzledGeezer
GrizzledGeezer

Thanks for the heads-up. I installed the update on my notebook running W7 Pro 64. No problems. I still run W2K Pro on my desktop, so I was "amused" by Microsoft's weaselly disclaimer: "This issue affects all supported releases of Microsoft Windows." It presumably affects all the unsupported releases as well, but Microsoft isn't doing anything about //them//.

Robiisan
Robiisan

If you found it in your registry, why not just manually edit it out? Do a search on the nasty and every time you find it, delete the key. No?

kevlar700
kevlar700

"otherwise the idea of patching one's Windows computer through Windows Update would be absurd. " What other option do you think they have, it's prevention not cure.

m.thomas.hill
m.thomas.hill

What is your professional opinion? Does one install the patch or trust in their malware programs and firewall settings? I use OpenDNS and they have supposedly helped on their end protecting their users from potentially going to sites that may have dubious material. Just a thought...

danbi
danbi

Like if this malware exists from yesterday...

Gisabun
Gisabun

When Apple releases updates to OS X 10.3 or before or Fedora/Redhat release updates for version 5, then you can make that comment. But who the hell would want to use Win 2K anyways? Why would Microsoft support an OS that is 12 years old. Simple solution for you? Don't go to any web site that may be fishy or pirated sites. Why haven't you complained about Win 2K in the past couple of years?

kathe
kathe

That was a nice way of asking am I an idiot. :) Im actually a novice. I know enough to see if Im infected (in some cases) but not enough to know if I can harm my registry if I delete something that could have rewritten it. I trust by your comment it will be fine, so Im deleting the file. Thanks!

danbi
danbi

In my opinion: Windows is hopeless.

kevlar700
kevlar700

I'm not sure if you have edited it out of your registry or removed the file. I wonder what permissions are needed to edit that part of your registry?. Be aware that it is well documented that the only confident measure of cleaning an infected system is to wipe the whole filesystem as it could have done anything including replacing your windows update exe, you just have to hope the malwares purpose is not too bad and others haven't jumped on it's bandwagon. As wiping is unlikely an option you want to take, your best bet would be to use another system to research and get a tool to clean it. There's a small chance that removing the registry entry might actually stop detection and so it's cleanup, especially for spyware.

Seotop
Seotop

Danbi, absolutely agree with your opinio. Windows is so sad... I just have no words but still using it coz have no choice :(