Some components of the Flame spyware worm were signed using forged Microsoft certificates, according to a recent investigation by Microsoft. These unauthorised digital certificates allowed the Flame developers to make the malware appear as if it was actually created and approved by Microsoft. The company has already released an emergency patch via Windows Update to block the certificates used by Flame.

Mike Reavey, Senior Director of Microsoft's Security Response Center (MSRC), says that the malicious code was signed using the company's Terminal Server Licensing Service, which is used by corporate customers to authorise Remote Desktop services. While Reavey doesn't provide specific details on how the Flame developers were able to sign their code with such certificates, he does say that it has something to do with exploiting a weakness in "an older cryptography algorithm".

This could mean that the Microsoft Certificate Authority (CA) used the MD5 algorithm, which is now considered to be insecure, to sign these certificates. By creating two certificates with the same MD5 hash – a so called hash collision – an attacker can transfer the Microsoft signature from a legitimate Terminal Server certificate to his fraudulent code signing certificate. Because of the matching hash, the Microsoft signature will be accepted as valid and the certificate can then be used to sign code.

"The Terminal Server Licensing Service no longer issues certificates that allow code to be signed", added Reavey. In total, three certificates are affected; these include two "Microsoft Enforced Licensing Intermediate PCA" certificates issued by "Microsoft Root Authority", and a "Microsoft Enforced Licensing Registration Authority CA (SHA1)" certificate from "Microsoft Root Certificate Authority". The emergency patch issued by Microsoft for all supported versions of Windows moves these to the Untrusted Certificate Store, blocking software signed by the unauthorised certificates.

Further information, including the thumbprints of the affected certificates, can be found in a TechNet blog post by MSRC Engineering team member Jonathan Ness.

See also:

Note: This article has been updated since publication to be clearer on how hash collisions could be used to sign a fraudulent certificate.

(crve)