Flame's Microsoft mask
- {{x.value}}
{{ twilioFailed ? 'SMS Code Failed to Send…' : 'Enter verification code' }}
{{ completedStep1 ? 'Start your free 15 day trial now' : content.trialHeading.replace('{0}', user.FirstName) }}
{{ content.upgradeHeading.replace('{0}', user.FirstName) }}
The email address you entered is registered with InvestSMART
Please login to continue
We have sent you an email with the details of your registration.
Looks you are already a member. Please enter your password to proceed
{{ upgradeCTAText }}
Updating information
Please wait ...
Your membership to InvestSMART Group recently failed to renew.
Please make sure your payment details are up to date to continue your membership.
Having trouble renewing?
Please contact Member Services on support@investsmart.com.au or 1300 880 160
You've recently updated your payment details.
It may take a few minutes to update your subscription details, during this time you will not be able to view locked content.
If you are still having trouble viewing content after 10 minutes, try logging out of your account and logging back in.
Still having trouble viewing content?
Please contact Member Services on support@investsmart.com.au or 1300 880 160
Please click on the ACTIVATE button to activate your Intelligent Investor 15-day free trial
Please click on the ACTIVATE button to finalise your membership
Unsuccessful registration
Registration for this event is available only to Eureka Report members. View our membership page for more information.
Registration for this event is available only to Intelligent Investor members. View our membership page for more information.
- You are already registered for this event.
- This event is already full.
- Please select a quantity for at least one ticket.
- {{ i }}
Forgotten password
Please enter your email address below to request a new password
- Verify your email address by clicking on the link we sent to {{user.Email}}
- You now have free access, we look forward to helping you on your financial journey.
Microsoft has released an emergency update for all versions of Windows to address a certificate flaw that was used to spread the Flame malware from machine to machine.
Of course you have to trust that your connection to Windows Update is not being attacked while you're retrieving the update that prevents you from being attacked.
This is not the first time we have seen malware abusing digital certificates, but this one is a bit more advanced than previous attacks.
What happened? The Flame malware needed a way to silently infect machines in the target environment, without making the mistake of spreading where it shouldn't like Stuxnet did.
Flame-infected computers can be instructed to impersonate a Web Proxy Autodiscovery Protocol (WPAD) server. Windows machines set for automatic proxy detection (the default) will try to contact a server called wpad.(company domain name) to check for instructions for when to use a HTTP proxy.
Flame would tell machines on the network that the infected computer was to be used for proxying requests to Microsoft's Windows Update service. Ordinarily this would not work, as Microsoft signs updates with their special digital certificates to ensure you only receive updates that are tamper proof.
But the Flame authors had discovered a critical flaw in Microsoft's certificate infrastructure. The Microsoft Terminal Server Licensing service is used for license management and authorisation in many enterprise environments. Microsoft had been mistakenly issuing certificates for use on these servers that could be used to digitally sign code.
Flame appears to have used one of these certificates to sign its payload and perform a man-in-the-middle attack to inject it onto additional machines on the same network. It isn't clear whether it was a certificate obtained legitimately from Microsoft or whether weak ciphers were targeted.
Two of the three certificates Microsoft revoked in this update used the MD5 hashing scheme. It has been demonstrated in the past that MD5 is prone to collisions, which may have also aided the Flame authors in successfully making it look like the malware was from Microsoft.
Managing encryption, ciphers and digital signatures is no easy task and a simple mistake like Microsoft accidentally issuing certificates that can be used to sign code using outdated ciphers is enough to put everyone at risk.
The idea of someone with malicious intent impersonating Windows Update has been discussed for years in the security community. It is sort of a nightmare scenario and I suppose it is good news that it was being used in such a limited way.
Few computers were compromised using this malware compared to the impact we would see if traditional opportunistic malware exploited this flaw. Fortunately the average user will now be protected from this attack moving forward.
These certificates can also be used for signing software for Microsoft's Windows Mobile and Windows Phone 7 devices, but no patch is available as of yet.
I think a friend of mine in the local Vancouver security community put it best: "Maybe 'Genuine Microsoft Advantage' should check the *other* side of the transaction?"
Chester Wisniewski is a senior security advisor at Sophos Canada, you can see his profile and his other work here.
Call 1300 880 160
Start a chat
Schedule a call
