Blogging Techstacks

Microsoft published Microsoft certification authority signing certificates added to the Untrusted Certificate Store on the Technet Security Research and Defense blog providing some more details on security advisory 2718704. Quoted from the article:

How did this happen?

When we initially identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft, we immediately began investigating Microsoft’s signing infrastructure to understand how this might be possible. What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure.

On the relationship between this vulnerabilty and "Flame":

Connection to Flame malware

Components of the Flame malware were signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority. This code-signing certificate came by way of the Terminal Server Licensing Service that we operate to issue certificates to customers for ancillary PKI-based functions in their enterprise. Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft.

Update ASAP.

Microsoft issued the following security advisory tonight:

Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

Microsoft is providing an update for all supported releases of Microsoft Windows. The update revokes the trust of the following intermediate CA certificates:

• Microsoft Enforced Licensing Intermediate PCA (2 certificates)
• Microsoft Enforced Licensing Registration Authority CA (SHA1)

Hopefully there will be more details on Monday. The Internet storm center posted this advisory. An excerpt:

Microsoft just released an emergency bulletin, and an associated patch, notifying users of Windows that a "unauthorized digital certificates derived from a Microsoft Certificate Authority" was used to sign components of the "Flame" malware.

Scary stuff...

I nearly fell out of my chair when I came across this post at the Internet Storm Center:  JBoss Worm.  JBoss certainly has come a long way--now it's got a worm!  The JBoss Community article "Statement Regarding Security Threat to JBoss Application Server" has some additional information but both the ISC and JBoss Community articles are a bit short on information--for example, I'm kind of interested what kind of code gets executed once infection as occurred.  (Update:  OK, I take that last sentence back.  The first comment descibes what the worm does in very nice detail)

The worm spreads by connecting to unsecured jmx consoles and then executes code as the user jboss runs as.  If you hadn't followed the instructions in "Securing the JMX and Web Console" to restrict access to the jmx console, placed your app servers in your DMZs, and figured running them on port 80 as root was fine because "it's *just* jboss...who hacks jboss?" then you're in for a rough night and/or weekend.

If you are front-ending your jboss servers with Apache and figured setting a ProxyPass and ProxyPassReverse for "/" to your app servers was fine, it wasn't.  The same applies to those mod_jk JkMount's for "/*".