In a Network World article posted yesterday, Marcus Carey, a researcher at Rapid7 is quoted as saying:
“Flame is an impressive piece of work, but it doesn't appear to pose a threat to most corporate networks because it seems to have been crafted for targeted attacks against networks in the Middle East.”
I would like to expand on and get specific about what he is quoted as saying. Parsing the statement, Carey claims that the Flame malware probably doesn’t pose a threat to corporate networks. He is probably right because every half-conscious security person is on the lookout for Flame.
The problem is that most people are looking at the malware package… the 20MB malware, and not the attack vector. The bigger issue is the door that Microsoft left open for the introduction of Flame: utilizing certificates with MD5 that has been proven vulnerable for the last 7 years. Microsoft closed their door (removed those untrusted vulnerable certificates) and have announced to the world that they fixed the problem.
Whew… everyone breathe a sigh of relief.
Big problem, that sigh of relief. The serious security vulnerability door remains wide open for 99% of all remaining organizations around the world. We know this to be a fact. MD5 is being used broadly on critical networks.
So when Microsoft says not to worry, the problem’s fixed. When well-respected researchers correctly point out that Flame itself is not a threat, most people assume that the danger is behind us. That assumption could not be more wrong and dangerous.
The attack vector is still wide open. Stay tuned.
Read the Venafi Security Alert: MD5 Vulnerability and learn more about how to identify your MD5 certificates.