Microsoft has started to roll out additional hardening measures for its Windows Update service. Microsoft is taking these new steps in response to the discovery that the Flame malware was using Windows Update to propagate itself. At the same time, Microsoft is planning to go ahead and release its scheduled patches for Windows next Tuesday via Windows Update.
For Windows XP and Windows Server 2003, Flame was able to use false certificates issued by Microsoft’s now invalid Terminal Server Licensing Service. For all versions of Windows after and including Vista, the malware also had to use a MD5 hash-collision attack. The hackers needed to use a MD5 hash-collision attack on the certificates issued by the Terminal Server Licensing Service because, by default, the attacker’s certificate would not work on Windows Vista or above. The collision attack was necessary to forge a certificate that would be valid for code signing. The Redmond company has posted more details on the nature of the MD5 hash collision attack here.
“Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack. To address this issue, we are also taking steps to harden the Windows Update infrastructure and ensure additional protections are in place,” wrote Mike Reavey, a Senior Director of the Microsoft Security Response Center.
Microsoft has decided to go ahead with this month’s Patch Tuesday and has published its advance notification. This month’s patches includes 7 bulletins addressing 25 vulnerabilities in Microsoft Windows, Internet Explorer, Visual Basic for Applications, Dynamics AX, and the .NET Framework. Three of the bulletins are rated as Critical and will require a system reboot after the patches have been applied.
Bulletin 4, which is rated as Important, concerns Microsoft Office 2003 Service Pack 3, Microsoft Office 2007 Service Pack 2 and Microsoft Office 2007 Service Pack 3. It also applies to Microsoft Office 2010 (both 32-bit and 64-bit editions) but according to Microsoft there are no known attack vectors for the vulnerabilities in Office 2010 . However, as a defense-in-depth measure, Microsoft will recommend that users apply the update.