The details of the collision attack used by the Flame malware authors to create a forged code-signing certificate for Microsoft code are beginning to emerge, and the company said that the attackers used an MD5 hash collision specifically to ensure that their attack would work on machines running Windows Vista and later versions of the OS. Microsoft also said that it will roll out some hardening changes to its Windows Update infrastructure to prevent the kind of man-in-the-middle attack that Flame used.
Microsoft officials said that as they began to analyze the components of the Flame malware, it noticed that the digital certificate used by the malware not only chained up to the Microsoft root CA, but it had some odd attributes that didn’t add up.
“As we reviewed this certificate, we noticed several irregularities. First, it had no X.509 extension fields, which was not consistent with the certificates we issued from the Terminal Server licensing infrastructure. We expected to find a Certificate Revocation List (CRL) Distribution Point (CDP) extension, an Authority Information Access (AIA) extension, and a “Microsoft Hydra” critical extension. All of these were absent,” Microsoft’s Jonathan Ness said.
“This certificate had an unusual field—Issuer Unique Identifier. This field is obsolete and not used by Microsoft software or infrastructure. When we examined this field in detail, we realized that it did not contain random data, but rather it had structure. It contained a correctly encoded X.509V3 extension field starting at byte offset 0x119 into the Issuer Unique Identifier field.”
The one extension in the certificate that caught the attention of the Microsoft researchers, and was critical to the success of the attack by Flame, is the Microsoft Hydra extension.
“The Microsoft Hydra extension is marked as ‘critical’ and this is crucial to why the attacker needed to perform a collision attack. In X.509 parlance, if an extension is essential to the proper validation of a certificate chain, it must be marked critical. The behavior of a crypto library upon encountering an extension marked critical that it does not understand is to fail validation. The Crypto API in Window Vista and later versions of Windows behave this way and the certificates fail validation on those platforms. Hence, if the attacker wanted a certificate that worked on all versions of Windows they needed to remove this field.”
In other words, if the attackers had only wanted to go after Windows XP or 2000 machines, they wouldn’t have needed the collision attack.
Part of the Flame attack involved executing a MITM attack that spread the malware via a spoofed update server that pushed signed executables disguised as Microsoft updates. Microsoft is planning to roll out some changes to its Windows Update system to address that vector.
“Our hardening introduces two defense-in-depth changes. First, we have further hardened the Windows Update infrastructure so that the Windows Update client will only trust files signed by a new certificate that is used solely to protect updates to the Windows Update client. Second, we are strengthening the communication channel used by Windows Update in a similar way,” the company said.