Following our recent article on Flame, it appears that “Flame” components were sign using Microsoft Certificate.
Microsoft just released an emergency bulletin, and an associated patch, notifying users of Windows that a “unauthorized digital certificates derived from a Microsoft Certificate Authority” was used to sign components of the “Flame” malware.
The update revokes a total of 3 intermediate certificate authorities:
- Microsoft Enforced Licensing Intermediate PCA (2 certificates)
- Microsoft Enforced Licensing Registration Authority CA (SHA1)
It is not clear from the bulletin, who had access to these intermediate certificates, and if they were abused by an authorized user, or if they were compromised and used by an unauthorized user. Either way: Apply the patch.
The bulletin also doesn’t state if this intermediate certificate authority or certificates derived from it could be used to fake the patch. Microsoft Certificates are used to sign patches, and a compromise could lead to a sever break in the trust chain. The use of a “real” Microsoft certificate is surely going to increase the speculations as to the origin of Flame.