Microsoft Emergency Bulletin: Unauthorized Certificate used in "Flame"

Published: 2012-06-04
Last Updated: 2012-06-05 10:29:19 UTC
by Johannes Ullrich (Version: 4)
11 comment(s)

Microsoft just released an emergency bulletin, and an associated patch, notifying users of Windows that a "unauthorized digital certificates derived from a Microsoft Certificate Authority" was used to sign components of the "Flame" malware. 

The update revokes a total of 3 intermediate certificate authorities: 


  • Microsoft Enforced Licensing Intermediate PCA (2 certificates)
  • Microsoft Enforced Licensing Registration Authority CA (SHA1)

It is not clear from the bulletin, who had access to these intermediate certificates, and if they were abused by an authorized user, or if they were compromised and used by an unauthorized user. Either way: Apply the patch.

The bulletin also doesn't state if this intermediate certificate authority or certificates derived from it could be used to fake the patch. Microsoft Certificates are used to sign patches, and a compromise could lead to a sever break in the trust chain. The use of a "real" Microsoft certificate is surely going to increase the speculations as to the origin of Flame.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute


========== UPDATE 1 (04 June) ===========

We'll update this story as we learn more

A post today from Microsoft sheds more light on this:

If you are not patched or otherwise mitigated, your workstation will trust code signed with this cert - remember that patch Tuesday is coming up, this could go very bad very quickly !!

The certificates in question are issued by "Microsoft Root Authority" or "Microsoft Root Certificate Authority".  "Microsoft Root Authority" is certainly in my browser list trusted for "All issuance policies" and "All application policies". 

This lends more weight to the wording in the original SA [1], which indicated that these certs can be used in MitM (Man in the Middle) attacks on SSL as well as code signing.

We've discussed the potential in the past for pushing malware as a patch, but seeing this as possible in a major platform like Windows is NOT common !

The patch provided by Microsoft removes trust for these, but you can do this yourself in your browser, or by using the CERTUTIL command line method.  However, I don't see anything in my list that looks like what's been compromised - and in order to move a CA to the untrusted list it needs to be in your list in the first place.  Removing the Microsoft Roots are (of course) not recommended !


========== Update 2 (04 June) ==========

I've had a reader ask - how do I remove these from the Trusted Publishers list without applying a patch that I haven't yet tested?

Simple, you can use certutil.  For instance, to remove the first cert ("Microsoft Enforced Licensing Intermediate PCA", with a Thumbprint of "2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70" ), enter the command:

certutil -delstore authroot "2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70"

After you delete the offending items (or apply the patch), you can easily check the status in IE, under "Untrusted Publishers" tab in the "Content" / Publishers section


========== UPDATE 3 (05 June) ===========

Our reader Matthijs correctly points out that in this case you cannot delete what is not there.  If you don't have these in your Cert Store in the first place, you cannot delete them with this method.  Check his comments (and his link) in the comments section - some great input there, thanks Matthijs !


Rob VandenBrink

Keywords: ca flame Microsoft ssl
11 comment(s)
Diary Archives