Microsoft: Techniques Used By Flame Could Be Used By Less Sophisticated Attackers to Launch Widespread Attacks
On Sunday, Microsoft reached out to customers and notified the public that it had discovered unauthorized digital certificates that “chain up” to a Microsoft sub-certification authority issued under the Microsoft Root Authority.
Interestingly, there is a direct connection between this discovery and the recently discovered “Flame” malware (also known as Flamer and sKyWIper). While many have said the enterprise threat posed by “Flame” is minimal, Microsoft is now warning that some of the techniques used by components of Flame could be leveraged by less sophisticated attackers to conduct more widespread attacks, namely in malware using unauthorized certificates in order to appear to be legitimate software coming from Microsoft.
While these security issues are not Flame-specific, and could be used in other forms of unrelated malware, Microsoft was able to identify components of the Flame malware that had been signed with a certificate that ultimately chained up to the Microsoft Root Authority.
“We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,” Microsoft Security Response Center’s Jonathan Ness wrote in a blog post. “We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.”
In response to the discovery, Microsoft released an emergency security advisory on Sunday, detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers.
Related: What Flame Means to the Enterprise
“This code-signing certificate came by way of the Terminal Server Licensing Service that we operate to issue certificates to customers for ancillary PKI-based functions in their enterprise,” Ness explained. “Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft.”
Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed.
The update revokes three intermediate certificate authorities, pushing the following certificates into the “Untrusted Certificates Store”:
• Microsoft Enforced Licensing Intermediate PCA (2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70) – Issued by Microsoft Root Authority
• Microsoft Enforced Licensing Intermediate PCA (3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08) – Issued by Microsoft Root Authority
• Microsoft Enforced Licensing Registration Authority CA (SHA1) (fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97) – Issued by Microsoft Root Certificate Authority
“These actions will help ensure that any malware components that might have been produced by attackers using this method no longer have the ability to appear as if they were produced by Microsoft,” Ness added.
While most of anti-virus software from major vendors will detect and remove Flame, and auto-updates should address these new concerns, Microsoft recommends that administrators and enterprise installations apply the patch, manually if needed. Information on applying the updates (KB2718704) can be found here.
Microsoft did not say what algorithm was exploited in order to generate the rogue certificates, though SecurityWeek did reach out to Microsoft for comment and we will update the story if a response is received.
Related: What Flame Means to the Enterprise

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.
More from Mike Lennon
- Watch Now: Threat Detection and Incident Response Virtual Summit
- Registration Now Open: 2023 ICS Cybersecurity Conference | Atlanta
- NetRise Adds $8 Million in Funding to Grow XIoT Security Platform
- Virtual Event Today: Zero Trust Strategies Summit
- Virtual Event Tomorrow: Zero Trust Strategies Summit
- Watch: How to Build Resilience Against Emerging Cyber Threats
- Video: How to Build Resilience Against Emerging Cyber Threats
- Webinar Today: Understanding Hidden Third-Party Identity Access Risks
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
