Microsoft closes the barn door

When the news broke last week that the Flame computer virus was probably built by the same nation (or nations) that commissioned the worm that attacked Iran’s nuclear program in 2010, it was only a matter of time before everything led back to the usual unwitting accomplice in these things: Microsoft.

That happened late yesterday when Microsoft acknowledged that a flaw in its software could be responsible for broader attacks. Writing on his blog, Mike Reavey, the senior director of Microsoft Security Response Center says:

We recently became aware of a complex piece of targeted malware known as “Flame” and immediately began examining the issue. As many reports assert, Flame has been used in highly sophisticated and targeted attacks and, as a result, the vast majority of customers are not at risk. Additionally, most antivirus products will detect and remove this malware. That said, our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks. Therefore, to help protect both targeted customers and those that may be at risk in the future, we are sharing our discoveries and taking steps to mitigate the risk to customers.

We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.

As with most of these stories, it’s clear we need a more modern term for closing the barn door after the horse has left.