Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label CA Hacks. Show all posts

'Flame' worm signed with Microsoft Certificate

Microsoft released an emergency Windows update after revealing that one of its trusted digital signatures was being abused to sign the Flame malware that has infected computers in Iran and other Middle Eastern Countries.

These unauthorised digital certificates allowed the Flame developers to make the malware appear as if it was actually created and approved by Microsoft.

"As soon as we discovered the root cause of this issue, we immediately began building a update to revoke the trust placed in the 'Microsoft Enforced Licensing Intermediate PCA' and 'Microsoft Enforced Licensing Registration Authority CA' signing certificates." The TechNet blog post reads.

Here are the thumbprints of the certificates to be placed in the Untrusted Certificates Store.

Certificate Issued by Thumbprint
Microsoft Enforced Licensing Intermediate PCA Microsoft Root Authority 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70
Microsoft Enforced Licensing Intermediate PCA Microsoft Root Authority 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08
Microsoft Enforced Licensing Registration Authority CA (SHA1) Microsoft Root Certificate Authority fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97

For further information, read this TechNet blog post.

Yahoo mistakenly leaks private certificate with Chrome extension version of Axis


Yahoo! has released a new browser for iPad and iPhone, dubbed "Axis," along with corresponding extensions for desktop versions of Chrome, Firefox, Safari, and IE 9.

Within hours of the launch, a Security researcher Nik Cubrilovic discovered that Yahoo mistakenly bundled their own private certificate file inside the Chrome extension version of Axis.

"A private key is used by a developer to sign an extension package in order to prove that the extension is actually from the developer. If a malicious third party were to obtain the private key, they would be able to release an extension signed with that developer's certificate." Sophos security researcher says.

With the private key in the wild it would be possible to create and sign an extension which appeared to be from Yahoo!

Cubrilovic used Yahoo's own certificate to sign a forged version of the Chrome extension as a proof of concept.

Cubrilovic writes about the implications of Yahoo's inclusion of the private certificate:

"The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victims machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension."