Flame virus hijacked Windows' last line of defence

Paul Marks, senior technology correspondent

When a novel computer threat hits the Windows ecosystem, Microsoft usually broadcasts an update online pretty quickly. That way, 900 million PC users can "patch" the vulnerability that let the threat thrive in the first place. So a nightmare scenario for security engineers has always been this: an attacker creates a smart, spoofed Microsoft update that lets them install a virus rather than a patch.

Well, it has happened at last.

Engineers poring over Flame, the powerful (and massive) cyberespionage program that Iranian authorities reported finding in a number of industrial and military facilities last week, have discovered a module among its 20 megabytes of attack tools that creates updates that look like they hail from Microsoft. This marks a watershed in computer (in)security and one for which there is currently no catch-all preventative measure. The reason? Update authenticity relies on the use of digital "certificates" that can be faked.

"Microsoft is aware of active attacks using unauthorised digital certificates derived from a Microsoft Certificate Authority," says the Redmond, Washington-based firm in a 3 June security advisory. "An unauthorised certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks."

It's such a "man-in-the-middle" attack - a certificate posing as an honest broker between the user's PC and Microsoft - that allows Flame's fake update to go ahead. Although that certificate has now been revoked, the mechanism revealed here will doubtless be a cue for copycats. "Techniques used by this malware... could also be leveraged by less sophisticated attackers to launch more widespread attacks," warns Microsoft.

But don't worry, Flame probably isn't going to hit your PC. It is a highly targetted "toolkit" that appears to be undertaking reconnaissance for future Stuxnet-style attacks on Iranian (or at least Middle Eastern) infrastructure. The US/Israeli-developed Stuxnet worm invaded Iran's industrial computers and shook almost 1000 uranium centrifuges to pieces - but it needed to know the make, model and connectivity of the controlling computers to do so. Flame appears to have the national security pedigree of Stuxnet and its sister Duqu - and is highly targetted at stealing PDF files, computer-aided design drawings and Microsoft Office documents, presumably so that future software-based attacks can be engineered.

"This is the first time Microsoft Update has been patched. And it's a big deal indeed," says Mikko Hypponen of antivirus software house F-Secure in Finland. "However, we're lucky, because this attacker is not interested in infecting large numbers of computers. This technique has only been used in very limited and targeted attacks in The Middle East."

"The Microsoft Update hack used in Flame must have been very valuable to the attackers. We should assume they've used it in other, possibly unrelated attacks at the same time, since they must have known it would be discovered."

As for the spoof patch risk, however, all's fine: Microsoft has released a Windows update.

davy jones love actually miesha tate vs ronda rousey idiocracy deep impact usssa baseball alex o loughlin