Skip to main content
banner image
venafi logo

Flame Malware: Microsoft Closed Their Door, but YOUR Door Is Still Wide Open

Flame Malware: Microsoft Closed Their Door, but YOUR Door Is Still Wide Open

June 14, 2012 | Jeff Hudson, Venafi CEO

Microsoft takes security seriously. We know this because they apply a huge amount of resource to improving security in their products and systems. Additionally, it has been an area of focus of theirs for a while.

Microsoft issued digital certificates in 2009 using MD5 technology, which they themselves told people in 2008, not to use. They used these certificates in the licensing and update systems for one of their products. The MD5 based certificates were proven to be breakable in 2005.

"Certificates are a foundational part of the internet security infrastructure. Certificates protect data as it moves throughout the internet and they identify and represent that an application or a machine is what it says it is (authentication). Without certificates we would not have ecommerce, secure communications, and most of the other facilities that the world relies on today."

The attackers used these breakable MD5 certificates to open doors in the targeted networks. They broke the MD5 certificates and manufactured fraudulent copies. Using the fraudulent copies the attackers executed a man-in-the-middle attack which in effect created a wide open door into their targets. Through these open doors, they installed the Flame malware. MD5 based certificates were the open door, or attack vector, that allowed Flame to work. Microsoft closed the door by rendering the Microsoft specific MD5 certificates, invalid.

They closed THEIR door, but they did not close any other doors, including many that are on your network now. The really bad part of this whole situation is that Flame has received intense and ongoing attention in the media worldwide. Every attacker is contemplating how they use these open doors in their attacks.

Further, we know that the open doors exist throughout the Global 2000. We have current data from scans of the G2000 showing that 17.4 % of certificates in the Global 2000 use MD5 hash algorithms and are therefore open doors. This is not speculation, theoretical, or hypothetical. The doors are open now.

We have been informed by a number of the G2000 companies that their legal and risk departments are mandating that MD5 certificates be removed from the network. There are a number of rather severe consequences if one knowingly leaves doors open that could compromise customer, patient, or financial data. And that is not the biggest risk. Imagine your most valuable data. What would happen if it was stolen? Know that attackers will use the currently open doors on your network to go after your most valuable data.

"Certificates are a bit of a mystery to almost everyone on this planet except for technologists that work with them. Because of non-understanding, certificates are mismanaged just about everywhere. Even at Microsoft, they used certificates that by their own admission were known to be breakable in 2005. This is a classic case of poor certificate management."

Also please realize that IDS, IPS, firewalls, AVs and other security measures do not address these open doors on your network. You need to take specific action immediately.

What do you need to do about the open doors on your network today?

  1. Locate the MD5 based certificates on your network:
    Priority - High
  2. Remove them or replace with acceptable technology like SHA1 and SHA2
    Priority - High
  3. Establish a centralized management system for tracking and managing certificates so that the weak certificates or certificates that do not conform to your policies do not reappear on your network
    Priority - High

In summary, there are known open doors on your network right now. Before you do anything else, find out where they are and close them. Then put a system in place that will make sure they stay closed.

Read the Venafi Security Alert: MD5 Vulnerability and learn more about how to identify your MD5 certificates.

Like this blog? We think you will love this.
Featured Blog

How DoS/DDoS Attacks Impact Machine Identity, Digital Certificates

For safe and secure utilization of machine identities such as SSL/TLS cer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Jeff Hudson, Venafi CEO
Jeff Hudson, Venafi CEO
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more