Pardon the pun, but it seems the Flame malware is spreading like a wildfire. Over Memorial Day weekend, we were talking about Flame in relation to a Stuxnet-like attack on Iranian and other Middle Eastern networks. Today, the conversation turns to Flame spreading via a bogus Windows update.
Essentially, the malware is creating bogus certificates that fool Windows machines into thinking that parts of Flame are Microsoft products, according to PC World. Because Windows is fooled, it allows the malware into the system. And even though I always preach about the importance of patching and having good (and updated) anti-malware protection, this is an instance where the rule doesn't matter. Flame is infiltrating even fully patched machines.
Microsoft has responded quickly to the problem. The company released a security advisory on Sunday and has developed a patch to reject the bad certificates. This story should act as an alert, or at least a good reminder, that bad guys frequently use rogue certificates as a means of implanting viruses. Jeff Hudson, CEO at Venafi (a certificate management company), told me in an email:
Certificates exactly like the ones compromised as part of the Flame malware, are used everywhere in organizations worldwide today and are vulnerable to the exact same compromise. If organizations do not have an automated management system in place, the likelihood of a catastrophic event is very high. Also, when the event occurs, recovery and remediation will take a very long time. Just like you need to manage and keep software up to date, you need to do the same thing with certificates.
Hudson also provided the following examples of best practices to protect your system from rogue certificates:
I suspect we haven't heard the last of Flame. And although Microsoft has pointed out that the attacks so far have been targeted and most customers are not at risk, we have to think it is only a matter of time until someone figures out how to use Flame for their advantage. Better to be prepared for the worst rather than think it won't happen to you.