Microsoft has issued an emergency security update to block an avenue of attack first seen in “Flame,” a newly-discovered, sophisticated malware strain that experts believe was designed to steal data specifically from computers in Iran and the Middle East.
According to Microsoft, Flame tries to blend in with legitimate Microsoft applications by cloaking itself with an older cryptography algorithm that Microsoft used to digitally sign programs.
“Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft,” the company said in a blog posting today.
Mike Reavey, senior director for the Microsoft Security Response Center, said Microsoft isn’t so concerned about Flame, which is now well detected (finally) by antivirus programs, and appears to have spread to a very small number of select systems. Rather, the company is worried that other attackers and malware might leverage the same method to aid in phishing attacks and other schemes that impersonate Microsoft to gain user trust.
The update released this week (KB2718704) blocks software signed by these Terminal Server License Service certificates. Updates are available for virtually all supported versions of Microsoft Windows. The patch is currently being pushed out through Windows Update and Automatic Update.