Ad: Manage updates with the Download App
ie8 fix

Spyware, viruses, & security forum: Microsoft Security Advisory (2718704)

by: Carol~ June 4, 2012 8:04 AM PDT

Like this

0 people like this thread

Staff pick

Microsoft Security Advisory (2718704)

by Carol~ Moderator - 6/4/12 8:04 AM

Unauthorized Digital Certificates Could Allow Spoofing

Published: Sunday, June 03, 2012
Version: 1.0

Executive Summary:

Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

Microsoft is providing an update for all supported releases of Microsoft Windows. The update revokes the trust of the following intermediate CA certificates:

• Microsoft Enforced Licensing Intermediate PCA (2 certificates)
• Microsoft Enforced Licensing Registration Authority CA (SHA1)

Recommendation For supported releases of Microsoft Windows, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information, see the Suggested Actions section of this advisory. For affected devices, no update is available at this time.

Suggested Actions:

The majority of customers have automatic updating enabled and will not need to take any action because the KB2718704 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install the KB2718704 update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2718704.

For Windows Mobile 6.x, Windows Phone 7, and Windows Phone 7.5 devices, no update is available at this time.

For Further Details: http://technet.microsoft.com/en-us/security/advisory/2718704


Reply
Report offensive post
Email to friend

Regarding Security Advisory 2718704

by Carol~ Moderator - 6/4/12 8:16 AM

In Reply to: Microsoft Security Advisory (2718704) by Carol~ Moderator

Mike Reavey @ the Microsoft Security Response Center Blog:

We recently became aware of a complex piece of targeted malware known as "Flame" and immediately began examining the issue. As many reports assert, Flame has been used in highly sophisticated and targeted attacks and, as a result, the vast majority of customers are not at risk. Additionally, most antivirus products will detect and remove this malware. That said, our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks. Therefore, to help protect both targeted customers and those that may be at risk in the future, we are sharing our discoveries and taking steps to mitigate the risk to customers.

We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.

We are taking several steps to remove this risk:

• First, today we released a Security Advisory outlining steps our customers can take to block software signed by these unauthorized certificates.

• Second, we released an update that automatically takes this step for our customers.

• Third, the Terminal Server Licensing Service no longer issues certificates that allow code to be signed.

These actions will help ensure that any malware components that might have been produced by attackers using this method no longer have the ability to appear as if they were produced by Microsoft.

We continue to investigate this issue and will take any appropriate actions to help protect customers. For more information, please refer back to this site and check with your anti-malware vendor for detection support.

Continued : http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx

Also See: Microsoft certification authority signing certificates added to the Untrusted Certificate Store


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Advisory 271804: Collision attack details, WU update rollout

by Carol~ Moderator - 6/7/12 11:36 AM

In Reply to: Microsoft Security Advisory (2718704) by Carol~ Moderator

Security Advisory 2718704: Collision attack details, WU update rollout

Mike Reavey on June 6 @ the Microsoft Security Response Center Blog:

Today, as a part of our continuing phased mitigation strategy recently discussed, we have initiated the additional hardening of Windows Update. We've also provided more information about the MD5 hash-collision attacks used by the Flame malware in the SRD blog. This information should help answer questions from customers about the nature of these collision attacks. We continue to encourage all customers who are not installing updates automatically to do so immediately.

To attack systems using Windows Vista and above, a potential attacker would have needed access to the now invalid Terminal Server Licensing Service certificates and the ability to perform a sophisticated MD5 hash collision. On systems that pre-date Vista, an attack is possible without an MD5 hash collision. In either case, of course, an attacker must get his signed code onto the target system. This can be done if the client's Automatic Update program receives the attacker's signed package because such packages are trusted so long as they are signed with a Microsoft certificate. Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack. To address this issue, we are also taking steps to harden the Windows Update infrastructure and ensure additional protections are in place.

When events like the current one occur, it's important for us to respond quickly and help protect customers as the first priority. This is why our initial response was to invalidate the entire certificate authority hierarchy associated with Terminal Server licensing. This applied to both present and past certificates, rather than just the specific certificates known to be used by the Flame malware. This was a broad action and was the fastest way to protect the largest number of customers. This is also why we continued our investigation and are hardening the Windows Update channel to further increase protection. And that is why we've waited until today, after most customers are protected from the risk posed by these certificates, to provide even more detail into how the cryptographic collisions were used in these attacks.

You can expect that we will continue to evaluate additional hardening of both the Windows Update channel and our code signing certificate controls as part of our ongoing analysis.

http://blogs.technet.com/b/msrc/archive/2012/06/06/security-advisory-2718704-collision-attack-details-wu-update-rollout.aspx

From the Security Research & Defense (SRD) Blog: Flame malware collision attack explained


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Forum Icon Legend

  • UnreadUnread
  • ReadRead
  • Locked threadLocked thread
  •   
  •   
  •   
  •   
  •   
  •   
  •   
  • ModeratorModerator
  • CNET StaffCNET Staff
  • Samsung StaffSamsung Staff
  • Norton Authorized Support TeamNorton Authorized Support Team
  • AVG StaffAVG Staff
  • avast! Staffavast! Staff
  • Webroot Support TeamWebroot Support Team
  • Acer Customer Experience TeamAcer Customer Experience Team
  • Windows Outreach TeamWindows Outreach Team
  • DISH staffDISH staff
  • Dell StaffDell Staff
  • Intel StaffIntel Staff
  • QuestionQuestion
  • Resolved questionResolved question
  • General discussionGeneral discussion
  • TipTip
  • Alert or warningAlert or warning
  • PraisePraise
  • RantRant

You are e-mailing the following post: Post Subject

Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipient's address will be used for any other purpose.

Sorry, there was a problem emailing this post. Please try again.

Submit Email Cancel

Thank you. Sent email to

Close

Thank you. Sent email to

Close

You are reporting the following post: Post Subject

If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

Offensive: Sexually explicit or offensive language

Spam: Advertisements or commercial links

Disruptive posting: Flaming or offending other users

Illegal activities: Promote cracked software, or other illegal content

Sorry, there was a problem submitting your post. Please try again.

Submit Report Cancel

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

You are posting a reply to: Post Subject

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to the CNET Forums policies for details. All submitted content is subject to CBS Interactive Site Terms of Use.

You are currently tracking this discussion. Click here to manage your tracked discussions.

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Duplicate posts are not allowed in the forums. Please edit your post and submit again.

Submit Reply Preview Cancel

Thank you, , your post has been submitted.

> Click here to view your post. > Manage your tracked discussions. > Track this discussion. Close

Thank you, , your post has been submitted and will appear on our site shortly.

Close