[Owasp-cuiaba] Microsoft Windows Unauthorized Digital Certificates

Kembolle Amilkar haxorcoding em gmail.com
Terça Junho 5 13:38:36 UTC 2012

Hash: SHA1

                   National Cyber Alert System

             Technical Cyber Security Alert TA12-156A

Microsoft Windows Unauthorized Digital Certificates

  Original release date: June 04, 2012
  Last revised: --
  Source: US-CERT

Systems Affected

    All supported versions of Microsoft Windows, including:

    * Windows XP and Server 2003
    * Windows Vista and Server 2008
    * Windows 7 and Server 2008 R2
    * Windows 8 Consumer Preview
    * Windows Mobile and Phone


  X.509 digital certificates issued by the Microsoft Terminal
  Services licensing certificate authority (CA) can be illegitimately
  used to sign code. This problem was discovered in the Flame
  malware. Microsoft has released updates to revoke trust in the
  affected certificates.


  Microsoft Security Advisory (2718704) warns of active attacks using
  illegitimate certificates issued by the the Microsoft Terminal
  Services licensing certificate authority (CA). There appear to be
  problems with some combination of weak cryptography and certificate
  usage configuration. From an MSRC blog post:

     We identified that an older cryptography algorithm could be
     exploited and then be used to sign code as if it originated from
     Microsoft. Specifically, our Terminal Server Licensing Service,
     which allowed customers to authorize Remote Desktop services in
     their enterprise, used that older algorithm and provided
     certificates with the ability to sign code, thus permitting code
     to be signed as if it came from Microsoft.

  From another MSRC blog post:

     What we found is that certificates issued by our Terminal
     Services licensing certification authority, which are intended
     to only be used for license server verification, could also be
     used to sign code as Microsoft. Specifically, when an enterprise
     customer requests a Terminal Services activation license, the
     certificate issued by Microsoft in response to the request
     allows code signing without accessing Microsofts internal PKI

  The following details about the affected certificates were provided
  in Microsoft Security Advisory (2718704):

     Certificate: Microsoft Enforced Licensing Intermediate PCA
     Issued by: Microsoft Root Authority
     Thumbprint: 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c \
                 52 b2 4e 70

     Certificate: Microsoft Enforced Licensing Intermediate PCA
     Issued by: Microsoft Root Authority
     Thumbprint: 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 \
                 b5 f8 dc 08

     Certificate: Microsoft Enforced Licensing Registration Authority
                  CA (SHA1)
     Issued by: Microsoft Root Certificate Authority
     Thumbprint: fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 \
                 d7 4d ee 97


  An attacker could obtain a certificate that could be used to
  illegitimately sign code as Microsoft. The signed code could then
  be used in a variety of attacks in which the code would appear to
  be trusted by Windows.

  An attacker could offer software that appeared to be signed by a
  valid and trusted Microsoft certificate chain. As noted in an MSRC
  blog post, "...some components of the [Flame] malware have been
  signed by certificates that allow software to appear as if it was
  produced by Microsoft."


  It is important to act quickly to revoke trust in the affected
  certificates. Any certificates issued by the Microsoft Terminal
  Services licensing certificate authority (CA) could be used for
  illegitimate purposes and should not be trusted.

  Apply updates

     Apply the appropriate versions of KB2718704 to add the affected
     certificates to the Untrusted Certificate Store. Updates will
     reach most users via automatic updates and Windows Server Update
     Services (WSUS).

  Revoke trust in affected certificates

     Manually add the affected certificates to the Untrusted
     Certificate Store. The Certifcates MMC snap-in and Certutil
     command can be used on Windows systems.


 * US-CERT Current Activity: Unauthorized Microsoft Digital
  Certificates -

 * Microsoft Security Advisory (2718704) -

 * Unauthorized digital certificates could allow spoofing -

 * Microsoft certification authority signing certificates added to the
  Untrusted Certificate Store -

 * Microsoft releases Security Advisory 2718704 -

 * Windows Server Update Services -

 * Certutil -

 * How to: View Certificates with the MMC Snap-in -

Revision History

 June 04, 2012: Initial release


  Feedback can be directed to US-CERT Technical Staff. Please send
  email to <cert em cert.org> with "TA12-156A Feedback INFO#461124" in
  the subject.

  Produced by US-CERT, a government organization.

This product is provided subject to the Notification as indicated here:

This document can also be found at

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html

Version: GnuPG v1.4.5 (GNU/Linux)


*Att. Kembolle Amilkar *
#/[ kembolle.com.br <http://www.kembolle.com.br> ] - Consultoria Segurança
da Informação.
#/ [ samurayconsultoria.com.br ] - Chief Security Officer - Samuray
#/ Systems Analyst | Esp. Information Security | Computer Forensic Expert |
#/ Owasp Chapter Lider Cuiabá - https://www.owasp.org/index.php/Cuiaba
#/ Mobile: [65] 9979-2925  && contato[at]kembolle.com.br.
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://lists.owasp.org/pipermail/owasp-cuiaba/attachments/20120605/75e73595/attachment.html>

More information about the Owasp-cuiaba mailing list