On Sunday Microsoft published security advisory 2718074 closing a loophole used by the Flame malware enabling it to masquerade as a piece of software signed by Microsoft. Software signed by Microsoft gains a huge boost in immunity against detection by the common AV vendors, probably one of the reasons why Flame was so successful in evading detection for years.
Our recommendation is to apply the update as soon as possible, not necessarily to escape the Flame malware, but primarily to harden your machines against the expected reverse engineering of the technique by the authors of common malware and the inclusion of this particularly valuable technique in their portfolios.
Today Microsoft provided more details on the mechanisms that Flame’s authors abused which distinguished between Windows XP and 2003 and earlier systems, where simple signing with the spoofed mechanism was sufficient, whereas for Windows Vista and more recent editions, the attackers had to do the additional work of finding/creating a file with MD5 checksum collision.
Microsoft also provided some further information on how the Windows Update infrastructure will be hardened in the coming weeks and months. It appears that the Windows Update client will gain its own certificates infrastructure and perform additional verification of the certificate itself to ensure that all required fields are present, rather than trusting the integrity of the digital signature itself. Stay tuned – we will update this post as more information is published.