Security Advisory 2718704 notifying customers about the “unauthorized digital certificates” and actions you can take to protect yourself against any potential attacks that would leverage unauthorized certificates signed by Microsoft.
The fake certificates are found that chain up to a Microsoft sub-certification authority issued under the Microsoft Root Authority. Microsoft says that the issue relates to a complex piece of targeted malware known as “Flame” and that the unauthorized certificates could be used to “spoof content, perform phishing attacks, or perform man-in-the-middle attacks.”
“Flame has been used in highly sophisticated and targeted attacks and, as a result, the vast majority of customers are not at risk. Additionally, most antivirus products will detect and remove this malware,” posted Jonathan Ness, MSRC Engineering.
“Components of the Flame malware were signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority. This code-signing certificate came by way of the Terminal Server Licensing Service that we operate to issue certificates to customers for ancillary PKI-based functions in their enterprise. Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft,” Ness explained.
Adding, “As soon as we discovered the root cause of this issue, we immediately began building a update to revoke the trust placed in the “Microsoft Enforced Licensing Intermediate PCA” and “Microsoft Enforced Licensing Registration Authority CA” signing certificates,” Ness said.
The update is available today through Windows Update and Automatic Updates and places three certificates into the Windows Untrusted Certificate Store.
In addition, Microsoft has also discontinued issuing certificates usable for code signing via the Terminal Services activation and licensing process.
Microsoft advises users to apply the officially the immediately to “add the proper certificates to the Untrusted Certificate Store,” as an alternative you can instead place the certificates there in another way. “For example, it might be more convenient to use the certutil command or the Certificates MMC snap-in. Or you might instead choose to manage trusted and untrusted certificates in your enterprise via group policy,” explains Ness.
Here are the thumbprints of the certificates to be placed in the Untrusted Certificates Store.
|Microsoft Enforced Licensing Intermediate PCA||Microsoft Root Authority||2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70|
|Microsoft Enforced Licensing Intermediate PCA||Microsoft Root Authority||3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08|
|Microsoft Enforced Licensing Registration Authority CA (SHA1)||Microsoft Root Certificate Authority||fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97|
For more information, you can refer the following:
Also, the EastWest (EWI) have released a new EWI report entitled “The Internet Health Model for Cybersecurity,” that offers seven key principles to translate the concepts of public health into approaches for managing the cybersecurity of large populations.
The contributors also provide an exploration of five areas for future research.
The report provides an important effort in establishing the Internet health model as an organizing framework and identifying priority areas for future research.