June 04, 2012, 3:21 PM — Businesses should install a Microsoft security update to avoid being duped by exploited certificates that were used as part of the Flame malware attack against targeted Iranian computer networks.
The update fixes a vulnerability in Microsoft's Terminal Server Licensing Service that allowed signing of software with certificates as if it were code originating from Microsoft, the company said in a blog post.
BACKGROUND: Flame Malware: All You Need to Know
The post, written by Mike Reavey, the senior director of Microsoft Trustworthy Computing, says an older cryptography algorithm proved exploitable and could be used to sign malicious code to certify that it came from Microsoft.
Terminal Services Licensing Service provided certificates that were permitted to sign code as if it came from Microsoft, the blog says. The certificates were intended to authorize Remote Desktop services securely.
The company issued a security advisory about how to correct the problem, and recommends that customers apply the update using update management software or Microsoft Update service.
"The update revokes the trust of the following intermediate [certificate authority] certificates: Microsoft Enforced Licensing Intermediate PCA (2 certificates), Microsoft Enforced Licensing Registration Authority CA (SHA1)," the advisory says.
An intermediate CA is a certificate authority that doesn't have the trust of the device it is connecting to, but it does have the trust of a root CA that the device does trust. Chains of intermediate CAs can lead back to a trusted root CA, and devices attempt to follow those chains to establish authenticity of certificates.
Weaknesses in this chain-of-trust system have were exploited repeatedly last year against SSL certificates used by browsers to authenticate websites. This led to repeated calls for a new authentication system.