Emergency Bulletin: Unauthorized Certificate used in "Flame"

Author	All Replies
Name Game Premium join:2002-07-07 North Myrtle Beach, SC kudos:7	Emergency Bulletin: Unauthorized Certificate used in "Flame" Microsoft Emergency Bulletin: Unauthorized Certificate used in "Flame" Published: 2012-06-04, Last Updated: 2012-06-04 01:23:22 UTC by Johannes Ullrich (Version: 1) 0 comment(s) Microsoft just released an emergency bulletin, and an associated patch, notifying users of Windows that a "unauthorized digital certificates derived from a Microsoft Certificate Authority" was used to sign components of the "Flame" malware. The update revokes a total of 3 intermediate certificate authorities: Microsoft Enforced Licensing Intermediate PCA (2 certificates) Microsoft Enforced Licensing Registration Authority CA (SHA1) It is not clear from the bulletin, who had access to these intermediate certificates, and if they were abused by an authorized user, or if they were compromised and used by an unauthorized user. Either way: Apply the patch. The bulletin also doesn't state if this intermediate certificate authority or certificates derived from it could be used to fake the patch. Microsoft Certificates are used to sign patches, and a compromise could lead to a sever break in the trust chain. The use of a "real" Microsoft certificate is surely going to increase the speculations as to the origin of Flame. [1] »technet.microsoft.com/en-us/secu···/2718704 [2] »blogs.technet.com/b/msrc/archive···704.aspx »isc.sans.edu/diary.html?storyid=13366 -- Gladiator Security Forum »www.gladiator-antivirus.com/
	to forum · permalink · 2012-06-04 04:00:33 ·
Name Game Premium join:2002-07-07 North Myrtle Beach, SC kudos:7	Re: Emergency Bulletin: Unauthorized Certificate used in "F This is what the list of untrusted certificates looked like in Windows 7 before applying the Microsoft patch that revokes "Microsoft Enforced Licensing Registration Authority" used in Flame malware. »twitpic.com/9sobor
	to forum · permalink · 2012-06-04 04:03:07 ·

Cudni La Merma - Vigilado Premium,MVM join:2003-12-20 Someshire kudos:13	reply to Name Game Updated. Thanks Cudni
	to forum · permalink · 2012-06-04 05:56:55 ·
beck Premium,MVM join:2002-01-29 On The Road kudos:1	reply to Name Game Windows update prompted me for it. little file and installed quickly.
	to forum · permalink · 2012-06-04 06:07:12 ·
Name Game Premium join:2002-07-07 North Myrtle Beach, SC kudos:7	said by beck: Windows update prompted me for it. little file and installed quickly. Best to let it call home then..Microsoft probably wants to also make sure you have been good lately.
	to forum · permalink · 2012-06-04 06:15:39 ·
Mele20 Premium join:2001-06-05 Hilo, HI kudos:4	reply to Name Game I tried to install it awhile ago. Microsoft, in their great wisdom, blocks my version of XP Pro from installing it. It is just an update to the Windows Certificate store (IE). Ah, well....I don't use IE for anything but Flash/Java speed tests so what does it matter? -- When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson
	to forum · permalink · 2012-06-04 06:23:41 ·
joepwpb Premium join:2000-12-15 West Palm Beach, FL	Just downloaded and quickly ran the update on both my XP SP3 and Win 7 machine. The XP machine required a reboot. Joe P
	to forum · permalink · 2012-06-04 08:25:43 ·
DrStrange Technically feasible Premium join:2001-07-23 West Hartford, CT kudos:1	reply to Name Game Considering that it's the first malware I've ever heard of that takes up 20MB of hard drive space, I was wondering if Microsoft wrote it themselves, or if some of the same people worked on this as worked on Vista. If it came with a help file that only told you, in excruciating detail, what you already knew that would have removed all doubt in my mind.
	to forum · permalink · 2012-06-04 12:43:52 ·
rcdailey Dragoonfly Premium join:2005-03-29 Rialto, CA Reviews: ·RoadRunner Cable	reply to Name Game Re: Emergency Bulletin: Unauthorized Certificate used in "Flame" Got this offered by MS Update before I checked here. I allowed the update. This on XP SP3, but I saw from checking the link in the update info that it will probably be shown on the Win 7 boxes, too. I will update the digital x-ray system (also XP SP3) manually, but will not restart it. It can be restarted the next day since it will be shut down overnight. -- It is easier for a camel to put on a bikini than an old man to thread a needle.
	to forum · permalink · 2012-06-04 13:18:36 ·
rcdailey Dragoonfly Premium join:2005-03-29 Rialto, CA	reply to Mele20 Re: Emergency Bulletin: Unauthorized Certificate used in "F Oh, that's right. You're still using SP2, and MS doesn't like that.
	to forum · permalink · 2012-06-04 13:19:40 ·
rcdailey Dragoonfly Premium join:2005-03-29 Rialto, CA Reviews: ·RoadRunner Cable	reply to joepwpb Win 7 systems did not require a reboot? That would be good news for me because one of them acts as a server as well and is not supposed to be restarted very often. It's a pain doing that because of the hours of operation, etc. -- It is easier for a camel to put on a bikini than an old man to thread a needle.
	to forum · permalink · 2012-06-04 13:21:22 ·
therube join:2004-11-11 Randallstown, MD	reply to joepwpb quote: The XP machine required a reboot. Hah! What a crock. Had I read that before, I would not have accepted the download prompt yet, much less have done the actual install.
	to forum · permalink · 2012-06-04 13:21:28 ·
rcdailey Dragoonfly Premium join:2005-03-29 Rialto, CA Reviews: ·RoadRunner Cable	Yeah, it's not a big thing for me, and I restarted here, but I don't like having to restart any system where work needs to be done during the day. It's just not practical to stop everything for a restart. -- It is easier for a camel to put on a bikini than an old man to thread a needle.
	to forum · permalink · 2012-06-04 13:22:54 ·
therube join:2004-11-11 Randallstown, MD	reply to Name Game > This is what the list of untrusted certificates looked like in Windows 7 before Which you get to see, how? (In XP['s crappy, non-resizable], IE Preferences \| Content -> Certificates, I see much more & differently.)
	to forum · permalink · 2012-06-04 13:26:48 ·
DrStrange Technically feasible Premium join:2001-07-23 West Hartford, CT kudos:1	reply to rcdailey Re: Emergency Bulletin: Unauthorized Certificate used in Flame No reboot required for this update here, on Win 7 - 32 bit.
	to forum · permalink · 2012-06-04 13:54:56 ·
Name Game Premium join:2002-07-07 North Myrtle Beach, SC kudos:7	reply to therube Re: Emergency Bulletin: Unauthorized Certificate used in "F said by therube: > This is what the list of untrusted certificates looked like in Windows 7 before Which you get to see, how? (In XP['s crappy, non-resizable], IE Preferences \| Content -> Certificates, I see much more & differently.) Here's an animated screenshot showing what the update does: it adds two certificates issued by Microsoft Root Authority and one by Microsoft Root Certificate Authority to the list of Untrusted Certificates. »www.f-secure.com/weblog/archives···377.html Don't forget to click on those arrow on the right hand side to see more tab -- Gladiator Security Forum »www.gladiator-antivirus.com/
	to forum · permalink · 2012-06-04 14:28:11 ·
rcdailey Dragoonfly Premium join:2005-03-29 Rialto, CA Reviews: ·RoadRunner Cable	reply to DrStrange Re: Emergency Bulletin: Unauthorized Certificate used in Flame said by DrStrange: No reboot required for this update here, on Win 7 - 32 bit. Good to know. I'll be looking at 3 Win 7 Pro 64-bit systems, but I'm sure the answer will be the same. -- It is easier for a camel to put on a bikini than an old man to thread a needle.
	to forum · permalink · 2012-06-04 14:46:45 ·
antdude A Ninja Ant Premium,VIP join:2001-03-25 United State kudos:4 Reviews: ·RoadRunner Cable	reply to Name Game Re: Emergency Bulletin: Unauthorized Certificate used in "F No reboot for my 64-bit W7 HPE (IE8) machine, but did reboot for my XP Pro. SP3 (IE6) VM. I don't know if it is related, but my P4V.exe (Peforce) denied me to log in. I removed the patch and no problems. Put it back, and it works fine but I need to wait another 24 hours so it can ask me to log in again. Did anyone notice anything weird from this update? -- Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer
	to forum · permalink · 2012-06-04 15:43:14 ·
MomOfARocker join:2009-06-07 Canada	reply to rcdailey Very quick update here on my 64-bit Win 7 Home Premium with no reboot required.
	to forum · permalink · 2012-06-04 16:02:47 ·
rcdailey Dragoonfly Premium join:2005-03-29 Rialto, CA Reviews: ·RoadRunner Cable 1 edit	All three Win 7 Pro 64-bit systems updated without requiring a reboot. The XP Pro system (digital x-ray) did require a reboot, so that seems to be consistent. IE8 in use on that XP system, but browsing is limited to Windows Update. Nothing weird happened with any of these systems so far, including my old home system with XP SP3. Since this patch is related to certificates, could that be an issue with products/services such as Perforce? Never mind, I realized from the post following that this is about protecting Windows Update and not about other certificates, necessarily. -- It is easier for a camel to put on a bikini than an old man to thread a needle.
	to forum · permalink · 2012-06-05 00:37:47 ·

Broadband Tech > Security > Security > Emergency Bulletin: Unauthorized Certificate used in "Flame"

Re: Emergency Bulletin: Unauthorized Certificate used in "F

Re: Emergency Bulletin: Unauthorized Certificate used in "Flame"

Re: Emergency Bulletin: Unauthorized Certificate used in "F

Re: Emergency Bulletin: Unauthorized Certificate used in Flame

Re: Emergency Bulletin: Unauthorized Certificate used in "F

Re: Emergency Bulletin: Unauthorized Certificate used in Flame

Re: Emergency Bulletin: Unauthorized Certificate used in "F