Spyware, Viruses, & Security forum


Microsoft Security Advisory (2718704)

by Carol~ Moderator / June 4, 2012 1:04 AM PDT
Unauthorized Digital Certificates Could Allow Spoofing

Published: Sunday, June 03, 2012
Version: 1.0

Executive Summary:

Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

Microsoft is providing an update for all supported releases of Microsoft Windows. The update revokes the trust of the following intermediate CA certificates:

• Microsoft Enforced Licensing Intermediate PCA (2 certificates)
• Microsoft Enforced Licensing Registration Authority CA (SHA1)

Recommendation For supported releases of Microsoft Windows, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information, see the Suggested Actions section of this advisory. For affected devices, no update is available at this time.

Suggested Actions:

The majority of customers have automatic updating enabled and will not need to take any action because the KB2718704 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install the KB2718704 update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2718704.

For Windows Mobile 6.x, Windows Phone 7, and Windows Phone 7.5 devices, no update is available at this time.

For Further Details: http://technet.microsoft.com/en-us/security/advisory/2718704
Discussion is locked
You are posting a reply to: Microsoft Security Advisory (2718704)
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Microsoft Security Advisory (2718704)
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Regarding Security Advisory 2718704
by Carol~ Moderator / June 4, 2012 1:16 AM PDT

Mike Reavey @ the Microsoft Security Response Center Blog:

We recently became aware of a complex piece of targeted malware known as "Flame" and immediately began examining the issue. As many reports assert, Flame has been used in highly sophisticated and targeted attacks and, as a result, the vast majority of customers are not at risk. Additionally, most antivirus products will detect and remove this malware. That said, our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks. Therefore, to help protect both targeted customers and those that may be at risk in the future, we are sharing our discoveries and taking steps to mitigate the risk to customers.

We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.

We are taking several steps to remove this risk:

• First, today we released a Security Advisory outlining steps our customers can take to block software signed by these unauthorized certificates.

• Second, we released an update that automatically takes this step for our customers.

• Third, the Terminal Server Licensing Service no longer issues certificates that allow code to be signed.

These actions will help ensure that any malware components that might have been produced by attackers using this method no longer have the ability to appear as if they were produced by Microsoft.

We continue to investigate this issue and will take any appropriate actions to help protect customers. For more information, please refer back to this site and check with your anti-malware vendor for detection support.

Continued : http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx

Also See: Microsoft certification authority signing certificates added to the Untrusted Certificate Store

Collapse -
Advisory 271804: Collision attack details, WU update rollout
by Carol~ Moderator / June 7, 2012 4:36 AM PDT
Security Advisory 2718704: Collision attack details, WU update rollout

Mike Reavey on June 6 @ the Microsoft Security Response Center Blog:

Today, as a part of our continuing phased mitigation strategy recently discussed, we have initiated the additional hardening of Windows Update. We've also provided more information about the MD5 hash-collision attacks used by the Flame malware in the SRD blog. This information should help answer questions from customers about the nature of these collision attacks. We continue to encourage all customers who are not installing updates automatically to do so immediately.

To attack systems using Windows Vista and above, a potential attacker would have needed access to the now invalid Terminal Server Licensing Service certificates and the ability to perform a sophisticated MD5 hash collision. On systems that pre-date Vista, an attack is possible without an MD5 hash collision. In either case, of course, an attacker must get his signed code onto the target system. This can be done if the client's Automatic Update program receives the attacker's signed package because such packages are trusted so long as they are signed with a Microsoft certificate. Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack. To address this issue, we are also taking steps to harden the Windows Update infrastructure and ensure additional protections are in place.

When events like the current one occur, it's important for us to respond quickly and help protect customers as the first priority. This is why our initial response was to invalidate the entire certificate authority hierarchy associated with Terminal Server licensing. This applied to both present and past certificates, rather than just the specific certificates known to be used by the Flame malware. This was a broad action and was the fastest way to protect the largest number of customers. This is also why we continued our investigation and are hardening the Windows Update channel to further increase protection. And that is why we've waited until today, after most customers are protected from the risk posed by these certificates, to provide even more detail into how the cryptographic collisions were used in these attacks.

You can expect that we will continue to evaluate additional hardening of both the Windows Update channel and our code signing certificate controls as part of our ongoing analysis.


From the Security Research & Defense (SRD) Blog: Flame malware collision attack explained
Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?