On Sunday, Microsoft issued Security Advisory 2718704 which announces an update that revokes the trust of two Microsoft-issued intermediate Certificate Authority (CA) certificates for all currently supported versions of Windows. The certificates revoked are:
- Microsoft Enforced Licensing Intermediate PCA (2 certificates)
- Microsoft Enforced Licensing Registration Authority CA (SHA1)
As outlined in Microsoft’s initial advisory, analysis of the Flame attack has shown that these certificates were used to issue unauthorized digital certificates that were used by attackers to make components of the Flame attack appear to be signed by Microsoft. This made these malware components falsely appear to be code from Microsoft and appear to have played a role in infecting systems through a man-in-the-middle (MitM) against Microsoft’s Windows Update mechanism.
While we and others have said that the Flame attack is limited and not a broad threat to customers, the ability to sign malicious code with these certificates and bypass security checks does represent a potential, broad threat. While there is no indication at this time that other attacks have used these certificates to make malware look legitimate, it is a very real possibility that this could happen in the future.
We are urging all customers to deploy the updates associated with with Microsoft Security Advisory 2718704 as soon as possible. This update will invalidate these certificates and flag any code signed by them, including possible malware, as untrusted.
As of Monday evening, Microsoft has also indicated on their blog that they will be issuing an additional update in the future to provide additional protections for the Windows Update mechanism against man-in-the-middle attacks. We urge all customers to make preparations now so that when this update is available, it can be deployed as soon as possible.
While there is no indication of broad attacks utilizing either the fraudulent digital certificates or man-in-the-middle attacks against Windows Update, these are very serious issues with the potential to be utilized for broad attacks. Customers should deploy the update available now as soon as possible and the soon-to-be-released as soon as possible as well.
As we’ve noted, Trend Micro customers are protected against the Flame malware. In addition to deploying these updates as soon as possible, customers should ensure their Trend Micro products are running the latest updates and signatures to help ensure broadest protections against any attempts to use these mechanism in attacks.
As always, we will provide new information to customers as we find it on our blog.