Out of band Microsoft patch quenches Flame malware exploit vector
The Flame malware has been a hot topic for the last week, after it was discovered infecting industrial computer systems in the Middle East and Iran. This malware is very high level and is designed for spying on carefully selected industrial and Government systems. It has attracted a lot of attention in the short time it has been known to security companies, and today it got Microsoft's attention.
Today, June 4, 2012, Microsoft has issued an out-of-band patch for one of the vulnerabilities used by the Flame to infect Windows computers. Patch KB2718704 is now being pushed to all supported versions of Windows, via Windows Updates. I just applied it to my Windows 7 PC and it did not require a restart.
What vulnerability does patch 2718704 fix?
According to the aforementioned Microsoft Advisory, one of the infection vectors used by the Flame malware is exploiting an old feature belonging to Windows Terminal Services and used in Remote Desktop connections. Specifically, this is labeled: "Unauthorized Digital Certificates Could Allow Spoofing" - and is defined as follows:
"Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows."
The advisory reveals that at least three unauthorized signed certificates are being used in the Flame attacks. Additionally, this patch addresses unauthorized digital certificates described in previous advisories: Microsoft Security Advisory 2524375, Microsoft Security Advisory 2607712, and Microsoft Security Advisory 2641690.
What does this patch do?
We (Microsoft) have updated the Untrusted Certificate Store to remove the trust in the affected Microsoft certification authorities.
Today's advisory goes on to urge all people running any supported version of Windows, including XP (w/SP 3), Vista, 7, Server 2003, to Server 2008, to run Windows Updates immediately, to install Patch KB2718704.
If the Flame is an industrial espionage Trojan, why should we all have to patch against it?
We have previous experience with another similar computer Worm, discovered in June 2010, which was also designed for industrial espionage. That Worm that was meant to only infect nuclear facilities in Iran, but accidentally broke loose and infected an untold number of business and personal computers around the world, none of which were its intended targets. That malware is known as the Stuxnet Worm and it is still infecting computer systems two years after being discovered.
So, while you and I are probably not an intended target of the Flame malware, now that is is loose, it is prudent that we apply the patch that blocks one of its most common methods of propagating. Go to Windows Updates on all of your Windows computers, check for patch KB2718704 and install it.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.