[GLLUG] Flame malware has spoofed MS-signed certificates
Clay Dowling
clay at lazarusid.com
Tue Jun 5 12:41:42 EDT 2012
On 6/5/12 12:17 PM, Stan Mortel wrote:
> I know lots of you still have to deal with Windows, and this could be
> highly significant since it has the potential to make Microsoft Update
> a malware delivery mechanism. A patch is available but not yet
> included in the normal Windows Update process.
>From reading the security brief, and from discussions elsewhere, the
problem isn't that the certificates are spoofed. The certificates are
100% legit, which is what makes them so useful. They're just not
certificates that were supposed to be used for app signing, and
Microsoft failed to put them in the revocation list for valid app
signatures. If what I've read is correct, they're certs used by
Terminal Server for some other purpose than app signing.
I'm pretty sure there are lots of people at Microsoft auditing their
systems looking for other important bits they've left lying around. It
can't make Microsoft happy to have their security update mechanism
subverted to compromise security. Although I've seen plenty of examples
of that too.
Clay
More information about the linux-user
mailing list