It’s been a busy few days for malware and security developments. On Friday I was listening to the TWIT Security Now podcast (recorded Wed May 30th), and the discussion about the Flame malware product. For a great explanation of the backstory of this malware, check out the TWIT episode.
This morning I learned from SysAdmin1138’s blog post that Microsoft published a Security Advisory which contains a fix designed to help protect you from being infested with this malware, assuming you are not already infested -- apparently there is evidence that portions of this malware have been around for a few years!
The short story of this situation is that a defect in Microsoft’s Terminal Server Licensing Service allows code to be exploited to create a code-signing certificate that is then used to sign code, making it appear as if it came from Microsoft. The Flame malware exploited that defect. Additional details are available from Microsoft in a TechNet blog post published on June 3rd.
While the Flame malware appears to be primarily a cyber-warfare tool, and may not directly impact organizations that are not likely targets of cyber-warfare interests, it’s also worthy of note that the same vulnerability could also be used to code-sign just about anything else and inject it into your systems. You may not consider yourself at risk for Flame, but everybody is at risk of some sort of malware that could be signed using this exploit. You absolutely need to install this update as soon as you can.
The update contains a modification to the Certificate Revocation List that makes it impossible for code signed in such a manner to be authenticated. In addition, make sure you have the latest version of the Terminal Server Licensing Service running (if you’re using it), as it has updated cryptography code that no longer contains this defect.
If you have WSUS or SCCM, deploy KB2718704 immediately. If you have Solarwinds Patch Manager you can deploy this out-of-band update today to your entire enterprise as a single, on-demand, monitored task which will provide you immediate feedback on which systems have been secured and which have not. If you are using another 3rd party patching tool, like Shavlik / VMware, you will need to wait for the patch to be made available for download – likely tomorrow.