Flame is a malware that was discovered recently by researcher at Kaspersky Lab. Flame is a malicious program that embeds itself in a system and steal data from that system by watching keystrokes It can steal valuable information, including but not limited to computer display contents, information about targeted systems, stored files, contact data and even audio conversation. It has hit the Middle East and Northern Africa , especially Iran hard. If you want to learn more about Flame, Kaspersky has a great article about it.
Today it was reported that one of the paths that was used by the Flame malware was a vulnerability in one of Microsoft’s Windows digital signatures. The digital signature that was exploited was the one used for the Terminal Server. The Terminal Server Licensing Services uses an older cryptography algorithm was is what the malware exploited. This is a services that many businesses use to allow remote access by their employees. The attackers created rogue intermediate certificate authorities that were able to trick end users and administrators into thinking they were issued from Microsoft.
On Sunday Microsoft released an emergency update on Sunday. The update blacklisted three intermediate certificate authorities tied to Microsoft’s root authority. They also stopped issuing certificates that can be used for code signing with the Terminal services activation and licensing process. Some are questioning why Microsoft allowed the licensing mechanism to sign untrusted code and then link to Microsoft root authority.
All indications are that the Flame malware was released by a nation-state. Especially after it was recently [unofficially confirmed] that Stuxnet was authorized by the United States under the Bush administration and released during the Obama administration with the cooperation of Israel. At this point it is not clear who released the Flame malware. But it is obvious that both Stuxnet and Flame are just the vanguard of the next frontier of warfare, which is spreading from the battlefield to cyberspace. Whether those who released it had thought through all possible consequences isn’t clear.