Microsoft will update Windows Update to stymie Flame-like attacks

Microsoft will update Windows Update to stymie Flame-like attacks

Expert knocks the company for vague description of how it plans to 'harden' crucial Windows Update service

Microsoft today announced it will issue an update to its Windows Update to prevent copy-cat hackers from duplicating Flame's feat of infecting fully-patched PCs by faking the service.

The company also described in more detail how Flame's authors were able to spoof Windows Update.

On Sunday, Microsoft acknowledged that Flame -- the super-espionage toolkit that has infected Windows PCs throughout the Middle East, but appears to have been aimed at Iran in particular -- used fraudulent code-signing certificates generated by abusing the company's Terminal Services licensing certificate authority (CA), which is normally used by enterprises to authorize remote desktop services and sessions.

Later, Microsoft also confirmed that those certificates were used to sign bogus updates that were force-fed uninfected PCs by a Flame-compromised computer on the same network.

Researchers at Kaspersky Lab and Symantec used their forensics analyses to more completely describe how Flame managed the feat.

Today, Microsoft said that Flame was able to trick Windows XP machines into accepting the phony Windows Updates once they generated digital certificates with Microsoft's own "signature."

But to dupe Windows Vista and Windows 7 systems, the hackers had to go a step further.

To do that, they leveraged several weaknesses in Microsoft's certificate infrastructure and signing to perform a cryptographic "collision attack," where two different values produce the same cryptographic "hash."

Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), explained the results.

"After [the collision] attack, the attacker had a certificate that could be used to sign code that chained up to the Microsoft Root Authority and worked on all versions of Windows [emphasis added]," Ness wrote today on the Security Research & Defense blog.

The combination of the flaws in the Terminal Services' CA and the collision attack made it possible for Flame to hoodwink Windows Vista and Windows 7 PCs as well as those running the 11-year-old XP.

Microsoft's Windows Update team also blogged Wednesday to explain how it plans to better secure Windows' default update mechanism, which is used by hundreds of millions of PCs worldwide, to prevent a repeat of the Flame tactic.

An update for Windows Update will be pushed to users later this week that will force the service to acknowledge only certificates issued from a new authority the company will create, and no longer accept other Microsoft-signed digital signatures, as it has since its inception.

"Second, we are strengthening the communication channel used by Windows Update in a similar way," the blog stated.

Companies that use Windows Server Update Services (WSUS), a Windows Server component and the de facto patching and update mechanism for most businesses, will be updated in a similar fashion.

Andrew Storms, director of security operations at nCircle Security, was disappointed in the lack of detail in Microsoft's explanation of the changes. "They basically admitted that Windows Update was man-in-the-middled, but then said very little about how they are fixing it," Storms said in an interview via instant messaging Wednesday.

"Basically they crossed the certificate streams between Windows Update and other security services in Windows," Storms continued, getting in a reference to Ghost Busters. "Crossing the streams is bad.... Windows Update should have been on an entirely different [certificate] stream than anything else. It's just too darned important to have been intermingled with any other chain of trust, and this shows exactly what can happen."

Wolfgang Kandek, chief technology officer at Qualys, read the Windows Update blog the same way as Storms.

"They fixed the immediate problem by revoking the certificates, but now they need to prevent others from copying Flame's mechanism," said Kandek. "So they're saying that 'We will start to sign updates with Windows Update-specific certificates instead of just any certificates.' Windows Update will be more picky about what certificates it accepts."

Windows PCs that have not applied the certification revocation Microsoft issued last Sunday remain vulnerable to the same kind of attack that Flame demonstrated, Kandek noted.

"Others will reverse-engineer this," he predicted. "It took Microsoft a couple of days to do that, and [some cybercriminals] are just as smart as the guys at Microsoft."

One potential problem both Storms and Kandek saw is that even after Microsoft updates Windows Update this week, it will have to support both the new, more secure process and the older, proven-to-be-vulnerable practice of accepting a broader range of certificates.

Doing different would block all Windows PCs that have not deployed the upcoming Windows Update upgrade from receiving critical security patches. "And who knows how long they'll have to do that," said Storms.

Although updates to Windows Update don't rely on users having set the mechanism to automatically receive and install all fixes and feature additions -- Windows Update updates are installed whenever the service is turned on, even if manually -- many PC owners have the service disabled and never use it. Experts have always suspected that users running counterfeit or pirated copies of Windows avoid Windows Update because they fear being found out.

Microsoft did not set a day this week when it will issue the update for Windows Update.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.




Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Show Comments