Any organization that has certificates signed with the MD5 algorithm is at risk of a Flame-style attack.
Microsoft has done a great job of solving its MD5 problem, and it has done a decent job of convincing the world that the doors are closed. However, its patch and update does nothing to solve the problem related to ALL deployed certificates signed with MD5. Which, as pointed out above, include those issued by CAs such as VeriSign, GeoTrust and more.
Security researchers are saying that Flame doesn’t appear to pose a threat to corporate networks because it was crafted to spy on networks in the Middle East. This is like saying that people living in gang neighborhoods should not be concerned about AK-47s, because they were built for the battlefield.
If you were a hacker and you knew MD5 was easily compromised and that a certificate could get you past AV, what route would you take into a network? If you were responsible for security within an enterprise, how would you know where all of your weak certificates are located? An MS update won’t reveal this. If you have MD5, you have a problem.
So far, the news has been focused on the complexity of Flame itself. By being transparent on the Flame incident, Microsoft has proven to the world that weak certificates are the key to Flame-style compromises. Hackers know this, this is why there has been a trend toward certificate-based attacks starting with Stuxnet, Duqu and now Flame.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.