Microsoft is planning an extensive overhaul to Windows Update after researchers determined attackers using the Flame malware toolkit conducted a man-in-the-middle attack targeting the Microsoft update mechanism.
Our firm guidance is that customers should apply the update as soon as possible for one simple reason: The fact that malware can be created by attackers and made to look like it is from Microsoft would result in the malware being installed.
Mike Reavey, senior director, Microsoft Security Response Center.
The information came one day after Microsoft issued an emergency patch revoking three fraudulent digital certificates issued by the Microsoft Certificate Authority. The fraudulent certificates enabled the attackers to make software appear to come from Microsoft.
The overhaul to bolster Windows Update is expected to take place once the software giant determines that an emergency patch is broadly deployed, said Mike Reavey, senior director of the Microsoft Security Response Center. In a blog post updating Windows users, Reavey said more information would be provided on the timing of the additional hardening.
“Our firm guidance is that customers should apply the update as soon as possible for one simple reason: The fact that malware can be created by attackers and made to look like it is from Microsoft would result in the malware being installed,” Reavey wrote. “Removing these certificates is the best first step and the update released yesterday prevents these unauthorized certificates from being used to attack systems running Windows software.”
Reavey said the attackers appeared to use a cryptographic collision attack against the weakened encryption algorithm. An encryption collision was demonstrated by researchers in 2005 against an MD5 algorithm. SHA-1 and MD5 are being replaced by the SHA-2 hash functions in most applications.
Flame module spoofed Windows Update
The Flame attackers appear to have used the fraudulent digital certificates in a man-in-the-middle attack targeting Microsoft Update or Windows Server Update Services (WSUS), said Mikko Hypponen, chief research officer of Finnish antivirus maker F-Secure Corp. Once successfully targeted, the attacker dropped a malicious file on the victim’s machine, Hypponen said.
“Most likely this function was used to spread further inside an organization or to drop the initial infection on a specific system,” Hypponen wrote on the F-Secure blog describing the likely attack technique.
The Flame malware attackers targeted less than 200 individuals in Iran and other countries in the Middle East and North Africa. The attacks are believed to be part of a nation-state sponsored cyberespionage campaign. The targeted attacks are not a serious threat to businesses, but Microsoft warned that the fraudulent digital certificates could be used by less-sophisticated attackers in a financially motivated malware campaign.
“Having a Microsoft code-signing certificate is the Holy Grail of malware writers,” Hypponen wrote. “I guess the good news is this wasn't done by cybercriminals interested in financial benefit.”
Symantec also issued extensive analysis of Flame targeting Windows Update. It said the Windows Update attack enables the installation of a program called Tumbler. Tumbler performs checks on the network interfaces and installed security products, then contacts a remote server to download Flame.