Microsoft released a security alert and patch due to the disturbing news that the hugely complex Flame malware has spoofed MS-signed certificates, potentially making Microsoft Update a malware delivery mechanism. Yikes and double yikes.
In what security researcher Mikko Hypponen calls the "Holy Grail" of malware writers, the massive and complex Flame malware, linked to state-sponsored espionage and information-gathering, has managed to spoof Microsoft-signed digital certificates, creating the potential for man-in-the-middle attacks on the Microsoft Update system.
Clearly, as Hypponen points out, successfully exploiting this vast delivery mechanism for malware could be disastrous. If the Flame module successfully performs a man-in-the-middle attack, it drops a file called WUSETUPV.EXE on to the target computer. As of now, however, Hypponen says, "...It has not been used in large-scale attacks. Most likely this function was used to spread further inside an organization or to drop the initial infection on a specific system."
Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.
Microsoft is providing an update for all supported releases of Microsoft Windows. The update revokes the trust of the following intermediate CA certificates:
- Microsoft Enforced Licensing Intermediate PCA (2 certificates)
- Microsoft Enforced Licensing Registration Authority CA (SHA1)
The investigation into the incident is ongoing, but the main takeaway for now is to patch immediately!