Microsoft Security Advisory (2718704)

ronjor · Jun 3, 2012

Unauthorized Digital Certificates Could Allow Spoofing

Published: Sunday, June 03, 2012

Version: 1.0
General Information
Executive Summary

Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

Microsoft is providing an update for all supported releases of Microsoft Windows. The update revokes the trust of the following intermediate CA certificates:

Microsoft Enforced Licensing Intermediate PCA (2 certificates)
Microsoft Enforced Licensing Registration Authority CA (SHA1)

Recommendation. For supported releases of Microsoft Windows, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information, see the Suggested Actions section of this advisory. For affected devices, no update is available at this time.
Click to expand...

https://technet.microsoft.com/en-us/security/advisory/2718704

elapsed · Jun 3, 2012

Got the update on Windows 8 too, thanks for the notification.

ronjor · Jun 3, 2012

Small and painless update.

guest · Jun 4, 2012

Microsoft certification authority signing certs added to the Untrusted Cert Store

*

Source.

Microsoft said:

Today, we released Security Advisory 2718704, notifying customers that unauthorized digital certificates have been found that chain up to a Microsoft sub-certification authority issued under the Microsoft Root Authority. With this blog post, we’d like to dig into more technical aspects of this situation, potential risks to your enterprise, and actions you can take to protect yourself against any potential attacks that would leverage unauthorized certificates signed by Microsoft.

We'd also like to share how this issue relates to a complex piece of targeted malware known as "Flame". As many reports assert, Flame has been used in highly sophisticated and targeted attacks and, as a result, the vast majority of customers are not at risk. Additionally, most antivirus products will detect and remove this malware. That said, our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks. Therefore, to help protect both targeted customers and those that may be at risk in the future, we are sharing our discoveries and taking steps to mitigate the risk to customers.

Read more: http://blogs.technet.com/b/srd/arch...added-to-the-untrusted-certificate-store.aspx
Click to expand...

Hungry Man · Jun 4, 2012

Re: Microsoft certification authority signing certs added to the Untrusted Cert Store

Nope, someone beat you to it in another topic (can't find a link atm) and I've already even blogged about it.

guest · Jun 4, 2012

Re: Microsoft certification authority signing certs added to the Untrusted Cert Store

...Connection to Flame malware

Components of the Flame malware were signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority. This code-signing certificate came by way of the Terminal Server Licensing Service that we operate to issue certificates to customers for ancillary PKI-based functions in their enterprise. Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft...
Click to expand...

Taken from: http://blogs.technet.com/b/srd/arch...added-to-the-untrusted-certificate-store.aspx

Hungry Man · Jun 4, 2012

Re: Microsoft certification authority signing certs added to the Untrusted Cert Store

Much better.

guest · Jun 4, 2012

Truly critical update.

ronjor said:

Small and painless update.
Click to expand...

Got it too, thanks.

ronjor, please, merge my other thread with this one. You posted about it first and I didn't see.

Cudni · Jun 4, 2012

What it looked like before being revoked
http://twitpic.com/9sobor

siljaline · Jun 4, 2012

Thanks for posting this Ron, as an informal poll among Win 7 users has shown this small patch was and is not available on Wndows Update.
Unless a lay user is pointed at the link, they will not see this patch. Thus far ....

http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx

ronjor said:

Small and painless update.
Click to expand...

fax · Jun 4, 2012

Strange, the advisory clearly points to windows update as a mean to patch. Or I misunderstood your post?

The majority of customers have automatic updating enabled and will not need to take any action because the KB2718704 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.
Click to expand...

http://technet.microsoft.com/en-us/security/advisory/2718704

And this is from a WIN7 system:

SoCalReviews · Jun 4, 2012

I am guessing that this Windows update is why my XP machine rebooted itself at 3 am this morning.

ronjor · Jun 4, 2012

Win XP requires a reboot with this update. Vista/Seven do not.

The Hammer · Jun 4, 2012

fax said:

Strange, the advisory clearly points to windows update as a mean to patch. Or I misunderstood your post?

http://technet.microsoft.com/en-us/security/advisory/2718704
Click to expand...

Windows update,that's how I got it.

SoCalReviews · Jun 4, 2012

I'm good with the XP update and required reboot. For some reason I had my speaker volume turned way up. I am not so good with the XP system shut down and start up sounds jolting me out of my sleep at 3 am.

This reason alone would justify an upgrade to Windows 7.

siljaline · Jun 4, 2012

You may fetch the patch via Windows Update (recommended) - or via the KB article here: http://support.microsoft.com/kb/2718704

When Microsoft offers an update via Windows Update, this would be the preferred method. For IT Pro's, etc - use your discretion in deploying these to your clients, workstations and so on.

Flame speading from PC to PC via hijacked Windows Update puts more emphasis on keeping your PC patched and current, more than ever.

ronjor · Jun 5, 2012

Security Advisory 2718704: Update to Phased Mitigation Strategy

To increase protection for customers, the next action of our mitigation strategy is to further harden Windows Update as a defense-in-depth precaution. We will begin this update following broad adoption of Security Advisory 2718704 in order not to interfere with that update’s worldwide deployment. We will provide more information on the timing of the additional hardening to Windows Update in the near future.
Click to expand...

https://blogs.technet.com/b/msrc/ar...ased-mitigation-strategy.aspx?Redirected=true

elapsed · Jun 5, 2012

Awesome, I guess the Windows Update hardening is to prevent the Flame malware spoofing updates.

ronjor · Jun 5, 2012

Follow-up to Microsoft Security Advisory 2718704: Why and How to Reactivate License Servers in Terminal Services and Remote Desktop Services

Given the recent communications from the Microsoft Security Response Center regarding measures taken by Microsoft to address the risk of unauthorized software certificate signatures associated with “Flame” malware, we wanted to share information describing how this impacts license servers in Terminal Services and Remote Desktop Services.

This change requires no specific action on the part of the Terminal Services or Remote Desktop Services administrator unless the administrator needs to set up a new or reactivate an existing Terminal Services license server or Remote Desktop license server, or install a new client access license (CAL) pack on a license server.
Click to expand...

https://blogs.msdn.com/b/rds/archiv...-remote-desktop-services.aspx?Redirected=true

xxJackxx · Jun 6, 2012

ronjor said:

Win XP requires a reboot with this update. Vista/Seven do not.
Click to expand...

Also Server 2003/R2 requires a reboot. Server 2008/R2 do not.

ronjor · Jun 6, 2012

Flame malware collision attack explained

swiat
6 Jun 2012 8:57 AM

Since our last MSRC blog post, we’ve received questions on the nature of the cryptographic attack we saw in the complex, targeted malware known as Flame. This blog summarizes what our research revealed and why we made the decision to release Security Advisory 2718704 on Sunday night PDT. In short, by default the attacker’s certificate would not work on Windows Vista or more recent versions of Windows. They had to perform a collision attack to forge a certificate that would be valid for code signing on Windows Vista or more recent versions of Windows. On systems that pre-date Windows Vista, an attack is possible without an MD5 hash collision. This certificate and all certificates from the involved certificate authorities were invalidated in Security Advisory 2718704. We continue to encourage all customers who are not installing updates automatically to do so immediately.
Click to expand...

https://blogs.technet.com/b/srd/arc...o-sign-the-flame-malware.aspx?Redirected=true

Hungry Man · Jun 7, 2012

Microsoft Hardens Windows Update

http://www.darkreading.com/advanced...rdens-windows-update-after-flame-attacks.html

Microsoft has revealed details on how it is hardening its Windows Update mechanism in response to the recent discovery that the Flame malware had abused it.
The software giant, which announced this week that it would beef up Windows Update, said yesterday that the newly hardened Windows Update and Windows Server Update Services (WSUS) infrastructures will be rolled out during the next few days.
Click to expand...

dw426 · Jun 7, 2012

Re: Microsoft Hardens Windows Update

Good deal, though I'm sure the ladies and gents behind these weapons will work their way around it or find some other way to plow through it.

elapsed · Jun 7, 2012

Re: Microsoft Hardens Windows Update

It appears to claim it will happen during next weeks Windows Update, surprising fast for Microsoft.

dw426 · Jun 7, 2012

Re: Microsoft Hardens Windows Update

elapsed said:

It appears to claim it will happen during next weeks Windows Update, surprising fast for Microsoft.
Click to expand...

I think MS has learned its lesson from so many years of piddling around. Plus, using Windows Update for malware is just one PR calamity they really don't want to have to deal with. It's one thing for some little bug buried deep in code to help out in an attack, it's quite another for the very system that patches and tries to keep umpteen millions of users safe to be used as a weapon.

Log in or Sign up

Microsoft Security Advisory (2718704)

ronjor Global Moderator

elapsed Registered Member

ronjor Global Moderator

guest Guest

Hungry Man Registered Member

guest Guest

Hungry Man Registered Member

guest Guest

Cudni Global Moderator

siljaline Registered Member

fax Registered Member

SoCalReviews Registered Member

ronjor Global Moderator

The Hammer Registered Member

SoCalReviews Registered Member

siljaline Registered Member

ronjor Global Moderator

elapsed Registered Member

ronjor Global Moderator

xxJackxx Registered Member

ronjor Global Moderator

Hungry Man Registered Member

dw426 Registered Member

elapsed Registered Member

dw426 Registered Member

Log in or Sign up

Microsoft Security Advisory (2718704)

ronjor Global Moderator

elapsed Registered Member

ronjor Global Moderator

guest Guest

Hungry Man Registered Member

guest Guest

Hungry Man Registered Member

guest Guest

Cudni Global Moderator

siljaline Registered Member

fax Registered Member

SoCalReviews Registered Member

ronjor Global Moderator

The Hammer Registered Member

SoCalReviews Registered Member

siljaline Registered Member

ronjor Global Moderator

elapsed Registered Member

ronjor Global Moderator

xxJackxx Registered Member

ronjor Global Moderator

Hungry Man Registered Member

dw426 Registered Member

elapsed Registered Member

dw426 Registered Member

Useful Searches