The Flame virus, which hijacked Microsoft’s Windows Update to deliver an online attack disguised as a security update, was an unprecedented attack “required world-class cryptanalysis,” according to a security researcher whose past work revealed the possibility of such a virus and gave Microsoft a chance to protect against it.
That’s the finding of a report this week from security researcher Marc Stevens of the Centrum Wiskunde & Informatica (CWI) in Amsterdam.
The analysis appears to implicitly support the widespread belief that a governmental entity was behind the attack, which targeted computers in Iran and other parts of the Middle East.
Here’s an excerpt from his report …
The first cryptographic collision attack against the cryptographic hash function MD5 was invented by Xiaoyun Wang et al. in 2004 , which however did not pose a serious immediate threat due to technical limitations. Subsequently, we have devised a more flexible collision attack against MD5 in 2007, a so-called chosen-prefix collision attack . This posed a greater threat due to the removal of the most important technical limitation. Finally, we refined our attack in 2008 and used it to construct a rogue Certification Authority, thereby demonstrating a serious vulnerability in internet security. Our demonstration convinced Microsoft and various governments to raise the security standards for Certification Authorities, by disallowing the use of MD5-based signatures effective 15 January 2009 .
It is clear that Microsoft, at that time, should have also disallowed MD5-based signatures in their Terminal Server Licensing Service (TSLS). As apparently the Flame collision attack was executed in February 2010, it now turns out they did not; this has been an important oversight. The result of this collision attack on a Microsoft TSLS Certification Authority was a code-signing certificate appearing to be from Microsoft that may be used to sign Windows Updates. This attack avenue was essentially open to any knowledgeable attackers since June 2009, when, under the belief that MD5-based signatures had indeed been disallowed, we made the program sources for a chosen-prefix collision attack publicly available. Furthermore, it should be noted that, even without a collision attack, Microsoft has unsuspectingly been providing its TSLS customers with unwarranted code-signing abilities.
The virus creators exploited a flaw in a Microsoft cryptography algorithm to create a counterfeit digital signature, making it seem as if the malicious code came from Microsoft.
Microsoft over the weekend released an emergency security update to block software using the bogus digital signatures — the ones that made the nasty code appear to be authorized by Microsoft — and fixed the bug that allowed the signatures to be created.
Ars Technica has more details, including this perspective from Matthew Green, a Johns Hopkins University computer science professor: “There were mathematicians doing new science to make Flame work.”