Microsoft Security Advisory notices do not, as a rule, make the media sit up and take much notice. Not least as they have become relatively commonplace over the years, but every now and then one comes along which may grab some press attention. Take MSA 2718704 for example.
At first the advisory with the expanded title of "Unauthorized Digital Certificates Could Allow Spoofing" issued on June 3rd doesn't hold out much hope in the immediately interesting stakes. However, when you realise that components of the Flame worm (as reported here on DaniWeb) were signed with a certificate that ultimately 'chained up' to the Microsoft Root Authority via the Microsoft Enforced Licensing Intermediate PCA Certificate Authority, and exposed a potentially serious problem with such code-signing certificates that could enable malware code to be validated as a Microsoft product, the interest starts to become clear.
Following the exposure of the Flame worm, Microsoft started investigating and discovered that a particular old crypto algorithm could be exploited in such a away as to enable certificates issued by the Microsoft Terminal Services licensing certification authority (for Remote Desktop services authorization in the enterprise) to be used to sign code as Microsoft itself without accessing the Microsoft internal PKI infrastructure which exists to prevent such abuse, rather than the intended use which is limited license server verification.
Of course, it's not just Flame that's the problem here; such unauthorised certificates could spoof content used for phishing purposes or even man-in-the-middle banking attacks. As such Microsoft has released an emergency patch which revokes the trust of a number of intermediate CA certificates across all supported releases of the Windows platform. Microsoft has now discontinued issuing certificates usable for code signing via the Terminal Services activation and licensing process.
