Microsoft vs. Flame – Part 2 – Update
Last updated on: September 7, 2020
My Windows machine just got its new Windows Update client delivered:
Two weeks ago the Flame Malware was discovered, and when Microsoft started to analyze it, they found that the malware binaries were digitally signed by none other than Microsoft itself. Upon further analysis it became clear that the authors of the Flame malware had found a loophole in the signing/verification infrastructure that allowed attackers to sign binaries as Microsoft.
This is a major security threat, with the main worry not really the Flame malware, but the other malware authors that certainly have started to reverse engineer the technique. Once they are successful they will use it to sign their their own creations and thereby avoid detection by anti-virus engines and other security mechanisms. Microsoft decided to react quickly and on Sunday June 3, 2012, Microsoft published Security Advisory 2718704 that removes the offending certificates from the local Windows certificate store, thereby closing the loophole.
Today Microsoft published a second component and further tightens Windows Update Security. From now on, the new Windows Update client only trusts one newly created signing certificate for all updates for Windows and Microsoft applications. With the new certificate which uses the newer SHA1 algorithm (rather than the outdated MD5), nobody but Microsoft should be able to sign future updates.
Your Windows workstation will get the new update client automatically at it next check for updates. It will have be installed before getting next Tuesday updates themselves as they will already be signed with the new certificate.