Flame then installed 'WuSetupV.exe' with the description "Desktop Gadget Platform" "Allows you to display gadgets on your desktop".
What's amazing is that Windows Update doesn't require explicit validation of an update-only certificate chain. It seems like any certificate from the Microsoft root can certify updates (!).
This is like finding out the zombies have made it into the compound.
I wonder how big this hole is to fix. I also wonder, as many have, if this was written by an Intelligence agency and, if so, if they had access to Windows' source code.
The idea of Microsoft willingly giving windows source code access to government does not make alot of sense.
What could have however happened is that the said "Intelligence agency" first created a malware to infect MSFT engineers' computers and get access info of the code repository and then spoofing themselves as MSFT employees to download the source code. This is alot more plausible considering what stuxnet and flame can already do. (Assuming they were made by same "Intelligence agency")
MSFT should really check the systems of their employees first.
> I guess the good news is that this wasn't done by cyber criminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency.
They apparently were only thinking of monetary losses, but a government malware on my computer is alot worse than credit card malware. At least we know what credit card malware can do at best (or worst).
Apparently the other tricky bit is that Windows can be set to auto-configure network proxies (presumably for enterprise support), so the infected host pretends to be the source of auto-config info in order to direct the other systems to connect through it to get to Windows Update. At which point the infected system can infect the package, which has been signed so it will auto-install.
Here we have an example of complexity arising from copy protection/licensing. It so happens that this complexity caused a security vulnerability which, when exploited on any one computer, affects close to a billion computers.
Is anyone else infuriated that a vulnerability like this exists in what is analogous to copy protection code?
In other words, if Microsoft had been spending more of their resources on making software work, instead of making software work only when you've proven you've paid for it, this particular issue would not exist.
This sort of thing (certificate compromise) has happened with open source projects as well.
The downside of trusting certificates is that you're abstracting trust to a point that you (where you == the IT industry) stops questioning who can do what. You trust something absolutely, but that trust is based on lots of people whom you don't know doing the right thing without making mistakes.
Microsoft has over 90,000 employees, and no doubt some of those people were hired specifically to protect their software licensing. They're probably not pulling their top OS developers to work on this. So the idea that they should have been "spending more of their resources on making software work..." is not really valid.
In fact, there is no company or software community anywhere that writes highly complex and bug free software. It's not possible.
Oh look, another scaremongering and purposely misleading article from F-Secure. This is starting to become a regular thing isn't it; I guess the recession must have hit them particularly hard.
I actually feel Mikko & the folks at f-secure are very good at explaining things to people who aren't everyday "virus fighters," but i felt the exact same way you did (like they were scaremongering) when they said "The Nightmare Scenario."
I'm on the fence about this issue, honestly. Part of me feels like they believe passionately that we're stepping into new, dangerous territory. The other part of me indeed feels like this is great advertising for not only them, but their industry (And they're going to push it all they can).
But the fact of the matter is they admit they can't protect you, whoever you are, from these types of targeted attacks. I've seen well respected speakers from Defcon go back and forth with Mikko on Twitter about the efficiency of AV.
It sucks you're (the parent) being downvoted but this is an issue, what with the incredible amount of FUD that comes with every serious attack.
EDIT: My mistake in misspelling Mikko's name. Sorry about that.
[+] [-] semenko|13 years ago|reply
Flame took advantage of WPAD, a little-known magical hostname (http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protoco...) to do MITM attacks on the Windows Update servers.
Flame then installed 'WuSetupV.exe' with the description "Desktop Gadget Platform" "Allows you to display gadgets on your desktop".
What's amazing is that Windows Update doesn't require explicit validation of an update-only certificate chain. It seems like any certificate from the Microsoft root can certify updates (!).
[+] [-] debacle|14 years ago|reply
I wonder how big this hole is to fix. I also wonder, as many have, if this was written by an Intelligence agency and, if so, if they had access to Windows' source code.
[+] [-] tobias3|13 years ago|reply
[+] [-] Achshar|13 years ago|reply
What could have however happened is that the said "Intelligence agency" first created a malware to infect MSFT engineers' computers and get access info of the code repository and then spoofing themselves as MSFT employees to download the source code. This is alot more plausible considering what stuxnet and flame can already do. (Assuming they were made by same "Intelligence agency")
MSFT should really check the systems of their employees first.
[+] [-] fidotron|14 years ago|reply
Quite a demonstration that even if you go to great pains to secure the code if you aren't careful with your credentials then it's for nothing.
[+] [-] rbanffy|13 years ago|reply
I always remind myself I'm not as smart as I think I am.
[+] [-] sev|13 years ago|reply
You mean the bad news.
[+] [-] Achshar|13 years ago|reply
[+] [-] smackfu|13 years ago|reply
[+] [-] billpg|13 years ago|reply
[+] [-] joewee|13 years ago|reply
[+] [-] MiguelHudnandez|14 years ago|reply
Is anyone else infuriated that a vulnerability like this exists in what is analogous to copy protection code?
In other words, if Microsoft had been spending more of their resources on making software work, instead of making software work only when you've proven you've paid for it, this particular issue would not exist.
[+] [-] y0ghur7_xxx|14 years ago|reply
[+] [-] Spooky23|13 years ago|reply
The downside of trusting certificates is that you're abstracting trust to a point that you (where you == the IT industry) stops questioning who can do what. You trust something absolutely, but that trust is based on lots of people whom you don't know doing the right thing without making mistakes.
[+] [-] jcdrepair|13 years ago|reply
In fact, there is no company or software community anywhere that writes highly complex and bug free software. It's not possible.
[+] [-] meatsock|13 years ago|reply
[+] [-] ktizo|13 years ago|reply
[+] [-] rsynnott|13 years ago|reply
[+] [-] leephillips|14 years ago|reply
[+] [-] DigitalSea|14 years ago|reply
[+] [-] dholowiski|13 years ago|reply
[+] [-] caf|13 years ago|reply
[+] [-] Arare|14 years ago|reply
[+] [-] wrekkuh|13 years ago|reply
I'm on the fence about this issue, honestly. Part of me feels like they believe passionately that we're stepping into new, dangerous territory. The other part of me indeed feels like this is great advertising for not only them, but their industry (And they're going to push it all they can).
But the fact of the matter is they admit they can't protect you, whoever you are, from these types of targeted attacks. I've seen well respected speakers from Defcon go back and forth with Mikko on Twitter about the efficiency of AV.
It sucks you're (the parent) being downvoted but this is an issue, what with the incredible amount of FUD that comes with every serious attack.
EDIT: My mistake in misspelling Mikko's name. Sorry about that.
[+] [-] bastardsage|14 years ago|reply
[+] [-] runn1ng|13 years ago|reply
[+] [-] unknown|14 years ago|reply
[deleted]