Categories: SecurityWorkspace

Microsoft ‘Oversight’ Helped Flame Spread

An “oversight” by Microsoft back in 2009 helped Flame spread, as it allowed attackers to effectively create fake certificates for malicious Windows updates, according to a cryptographic expert.

Professor Ronald Cramer, head of the Cryptology Research Group at the Centrum Wiskunde & Informatica (CWI) in Amsterdam, told TechWeekEurope that whilst he was not blaming anyone for the spread of Flame, Microsoft was guilty of an “important oversight”.

Research from 2009 showed how hackers could exploit weaknesses to carry out what is known as an MD5 collision attack. Super-powered cyber-espionage tool Flame used a variant of this attack vector to spread.

Despite knowing about the 2009 research, Microsoft failed to stop MD5 hashes from being used in its Terminal Server Licensing server from which certificates were issued – something which Flame exploited, TechWeekEurope was told.

In the case of Flame’s MD5 collision attack, hackers took a legitimate Microsoft certificate using the MD5 specification for its hash and RSA-2048 encryption for its public key algorithm. They then created a similar certificate using the same MD5 hash. An RSA-2048 signature was then grafted onto the forged certificate to make it seem legitimate.

Flame’s operators used fake certificates to dupe users into downloading malicious software, which then helped the worm propagate.

Cramer versus Flamer

Cramer and co-cryptanalist Marc Stevens had been led to believe that the use of MD5-based signatures was killed off completely on 15 January 2009. However, Microsoft had not done so in its Terminal Server Licensing server.

This also meant that the attack method was open to anyone who knew about it since 2009.

“Microsoft overlooked a part of their system where they should have been blocking [MD5-based signatures], but it turned out not to have blocked them,” Cramer said. When asked whether Microsoft should have picked up on the issue in 2009, Cramer said “common sense would suggest that this is the case.”

Cramer believes that Flame may have used another attack vector to spread if it could not have used fake Microsoft certificates. “Perhaps Flame might have selected another delivery method. But it is obvious that had the MD5-based signatures been blocked to the whole required extent, then this wouldn’t have been the delivery method for Flame,” he added.

Cramer and Stevens’ analysis suggested that “world class cryptanalysis” was behind the creation of Flame. The worm’s operators used a “scientifically interesting” variation of methods that Stevens was responsible for highlighting in 2009.

“This is certainly not trivial,” Cramer added. “This would require world-class skill, understanding and inventiveness.”

At the time of publication, Microsoft had not responded to a request for comment. The company has hardened its certification system, killing off any traces of those signatures used by Flame.

Are you a security pro? Test yourself with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

1 hour ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

2 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

3 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

5 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

8 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

8 hours ago