Tuesday, August 27, 2013

Monty Flameathon and the Holy Grail - trust no one, or trust but verify?

In a recent post in tymshft, I referred to Microsoft's monthly updates. This system provides millions of Microsoft product users with updates to their operating systems and software. In some cases, these updates are critical. Microsoft determined over a decade ago that this system was the best way to protect Microsoft users. In fact, Microsoft recommends that users set these updates to "automatic" mode, to ensure that they are installed.

I referred to this system in my tymshft post as a system that obviously requires a great deal of security. If you want people to trust that updates are coming from Microsoft, then you had better make sure that those updates ARE coming from Microsoft.

As I wrote that post, I didn't realize that Microsoft's security update system was compromised in 2012.

The exploit of Microsoft's Windows Update system by the sophisticated Flame cyber espionage malware was a "significant" event in the history of Windows hacking, experts said today....

What had those researchers reaching for superlatives was the Flame makers' theft of digital "signatures," or certificates, that labeled code as Microsoft's, and then the use of those certificates to "sign" malicious files that posed as legitimate Windows updates.

The combination allowed Flame to infect fully-patched Windows XP, Vista and Windows 7 PCs that were on the same network as an already-infected system.

So, basically, Microsoft was protecting its Windows Update service by the use of digital certificates. But when the Flame writer(s) got a hold of those digital certificates, this resulted in a major compromise of the system. The aforementioned researchers kept on using the term "Holy Grail" to refer to the exploit.

So what did Microsoft do? First, it broke its rule of only issuing updates once a month and rushed out a special update. Second, it took another measure to close the loophole:

Microsoft modified the Terminal Services licensing certificate authority (CA), the one hackers had exploited, so it could no longer issue code-signing certificates of any kind....

On Wednesday Microsoft announced it would revamp how Windows updates are secured, saying that it would dedicate a new CA to Windows Update, in effect unlinking the service from all other Microsoft-generated certificates.

At least one critic said that Microsoft's move was long overdue, and that Windows Update should have had a separate certificate authority all along. I wonder what that critic was saying ten years ago; in all fairness, however, the critic may not have known that Microsoft was using a common certificate authority for many of its services. (The critic also noted that Microsoft was not providing a lot of information.)

Of course, such things are bound to happen, and something will happen in the future, because no system - NONE - provides 100% protection.

So how do we react to this? Do we take the "trust no one" approach and assume that Windows Update (or Apple Update, or Linux Update, or whatever) is permanently compromised? Or do we take the "trust but verify" approach, in which we verify (or double-verify) with a reliable source that the update waiting for our attention is truly a legitimate update?
blog comments powered by Disqus