
The Microsoft Update mechanism has been used to spread malware - k33l0r
http://www.f-secure.com/weblog/archives/00002377.html
======
semenko
The SecureList summary was much more detailed:
[http://www.securelist.com/en/blog/208193558/Gadget_in_the_mi...](http://www.securelist.com/en/blog/208193558/Gadget_in_the_middle_Flame_malware_spreading_vector_identified)

Flame took advantage of WPAD, a little-known magical hostname
([http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protoco...](http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol))
to do MITM attacks on the Windows Update servers.

Flame then installed 'WuSetupV.exe' with the description "Desktop Gadget
Platform" "Allows you to display gadgets on your desktop".

What's amazing is that Windows Update doesn't require explicit validation of
an update-only certificate chain. It seems like any certificate from the
Microsoft root can certify updates (!).

------
debacle
This is like finding out the zombies have made it into the compound.

I wonder how big this hole is to fix. I also wonder, as many have, if this was
written by an Intelligence agency and, if so, if they had access to Windows'
source code.

~~~
tobias3
My Windows already fixed it. <http://support.microsoft.com/kb/2718704>

~~~
Animus7
The awesome part is how they force you to download an additional signed WGA
validator exe before the site coughs up the patch, which itself is signed. If
I was the attacker, I'd definitely be MITM'ing this page.

Zombies in the compound indeed.

------
fidotron
It really was an unbelievable oversight to use the same certs in the Terminal
Services activation system.

Quite a demonstration that even if you go to great pains to secure the code if
you aren't careful with your credentials then it's for nothing.

~~~
rbanffy
A very similar thing happened with France during WW2.

I always remind myself I'm not as smart as I think I am.

~~~
sillysaurus
What happened with France?

~~~
gojomo
I suspect it's a reference to 'the Maginot Line':

<http://en.wikipedia.org/wiki/Maginot_Line>

~~~
AlexFromBelgium
Oh yeah, sure, blame it on the Belgians!

~~~
pygy_
Fellow Belgian here, our ancestors had been naive...

Our main line of defense, the _fort d'Ében-Émael_ , had been built by German
workers. The German army had their plans, and knew the weak point of the fort:
its vast, undefended roof (it was used as a football field by the soldiers).

During a dark night, they landed with gliders on the roof, and manually set up
shaped charges[1] to destroy the turrets, which were resistant to conventional
bombs.

Game over.

[1] <http://en.wikipedia.org/wiki/Shaped_charge> , damages seen from the
outside:
[http://upload.wikimedia.org/wikipedia/commons/thumb/f/f6/Ebe...](http://upload.wikimedia.org/wikipedia/commons/thumb/f/f6/Eben-
Emael03.JPG/250px-Eben-Emael03.JPG)

\--

 _Edited to reconcile my foggy memory with the historic truth..._

~~~
gaius
I'd be willing to bet some young combat engineer said "but what about the
roof?" and some old general replied "you'll never get a horse up there!".

~~~
pygy_
It's worse than that.

The roof should have been mined, but the soldiers petitioned the hierarchy to
keep their sports field...

------
sev
> I guess the good news is that this wasn't done by cyber criminals interested
> in financial benefit. They could have infected millions of computers.
> Instead, this technique has been used in targeted attacks, most likely
> launched by a Western intelligence agency.

You mean the bad news.

~~~
Achshar
They apparently were only thinking of monetary losses, but a government
malware on my computer is alot worse than credit card malware. At least we
know what credit card malware can do at best (or worst).

------
smackfu
Apparently the other tricky bit is that Windows can be set to auto-configure
network proxies (presumably for enterprise support), so the infected host
pretends to be the source of auto-config info in order to direct the other
systems to connect through it to get to Windows Update. At which point the
infected system can infect the package, which has been signed so it will auto-
install.

------
billpg
I saw the headline and thought "Oh (expletive) I let update run last night!",
but it turned out to be the revoked cert update.

------
joewee
"Western Intelligence" agencies really seem to be good at mucking stuff up.

------
MiguelHudnandez
Here we have an example of complexity arising from copy protection/licensing.
It so happens that this complexity caused a security vulnerability which, when
exploited on any one computer, affects close to a billion computers.

Is anyone else infuriated that a vulnerability like this exists in what is
analogous to copy protection code?

In other words, if Microsoft had been spending more of their resources on
making software work, instead of making software work only when you've proven
you've paid for it, this particular issue would not exist.

~~~
y0ghur7_xxx
The same would happen on ubuntu if someone steals the repository keys. This
has nothing to do with copy protection.

~~~
MiguelHudnandez
But my point is that more teams needed access to signing keys because some of
those teams were dedicated only to licensing issues. If they didn't need
signing keys, those keys wouldn't have been compromised.

I suppose I can break it down another way.

Complexity introduces vulnerabilities.

Some complexity is necessary for the software to accomplish what the customer
wants.

Some complexity is arguably necessary to protect the interests of the vendor.
This is arguable because it varies between open source and proprietary
software.

To me, it is upsetting when the code to protect the vendor's interests is
where a critical security vulnerability exists. I don't think this is a
controversial statement.

~~~
exDM69
> But my point is that more teams needed access to signing keys because some
> of those teams were dedicated only to licensing issues. If they didn't need
> signing keys, those keys wouldn't have been compromised.

Cryptographically signed binaries are not used to manage licensing issues,
they are used to make sure that no-one intercepts your download and replaces
it with a malicious binary. It is absolutely essential that computer programs
are signed or delivered through a secure connection.

Losing your signing keys will make the entire system jeopardized and new keys
must be generated and securely transmitted (this is hard).

> To me, it is upsetting when the code to protect the vendor's interests is
> where a critical security vulnerability exists.

Yes, that would be upsetting if it were true. But it isn't. The whole system
is in place to protect you, the customer.

~~~
MiguelHudnandez
The issue was that Microsoft left behind the ability to sign code with a
Microsoft certificate by mistake.

The entire reason the attackers could use the certificate was because
Microsoft left behind that functionality in the suite of software that allows
enterprise customers to license their instances of Terminal Servers.

I am not railing against cryptographic signing as a concept -- what happened
was Microsoft played fast and loose with their certificate chain in order to
provide their customers with a way to prove that they had paid for software.

The certificate chain could have been a lot cleaner if that licensing bit
wasn't necessary.

------
meatsock
let this be a lesson to you: run windows update frequently for maximum
security.

~~~
ktizo
Now available with new and faster bugs.

------
rsynnott
But does it refuse to install the malware if it arbitrarily decides that your
Windows is not genuine?

------
leephillips
So it's working as designed.

------
DigitalSea
Cue the sound of a thousand palms hitting faces at Microsoft HQ.

------
dholowiski
You realize, you already have to be infected with the flame virus to work,
right?

~~~
caf
No, you just have to be sharing a network with a host already infected with
Flame.

------
Arare
Oh look, another scaremongering and purposely misleading article from
F-Secure. This is starting to become a regular thing isn't it; I guess the
recession must have hit them particularly hard.

~~~
wrekkuh
I actually feel Mikko & the folks at f-secure are very good at explaining
things to people who aren't everyday "virus fighters," but i felt the exact
same way you did (like they were scaremongering) when they said "The Nightmare
Scenario."

I'm on the fence about this issue, honestly. Part of me feels like they
believe passionately that we're stepping into new, dangerous territory. The
other part of me indeed feels like this is great advertising for not only
them, but their industry (And they're going to push it all they can).

But the fact of the matter is they admit they can't protect you, whoever you
are, from these types of targeted attacks. I've seen well respected speakers
from Defcon go back and forth with Mikko on Twitter about the efficiency of
AV.

It sucks you're (the parent) being downvoted but this is an issue, what with
the incredible amount of FUD that comes with every serious attack.

EDIT: My mistake in misspelling Mikko's name. Sorry about that.

~~~
mahmud
Mikko, Mikko Hyponnen. Not "Mykko".

~~~
cromulent
I believe it's Hyppönen, but Muphry's Law will probably strike me also ;)

