Flame malware, buzz of June 2012, had an interesting replication methods through Microsoft Windows Update service. The SNACK (NBNS spoofing) and MUNCH (Spoofing proxy detection and Windows Update request) Flame modules have allow man in the middle (MITM) attacks allowing distribution of forged Windows updates to the targets.

The MITM URLs were :

download.windowsupdate.com
download.microsoft.com
update.microsoft.com
www.update.microsoft.com
v5.windowsupdate.microsoft.com
windowsupdate.microsoft.com
www.download.windowsupdate.com
v5stats.windowsupdate.microsoft.com

The problem was that components of Flame were signed using a forged certificate that the attacker were able to create by exploiting a weakness in Microsoft Terminal Services, how allow users to sign code with Microsoft certificates.

Microsoft has issue a security advisory (MSA-2718704) and an update (KB-2718704) how will remove the untrusted certificates.

But since today, “Microsoft Root Certificate Authority” root certificate, “Microsoft Update Secure Server CA 1” intermediate certificate are not more trusted by majority of Internet browsers like Firefox, Chrome, Safari and Opera. The cause is that Microsoft has regenerate the Windows Update certificate chain. The chain of trust is broken (Qualys SSL LabsSSL Shopper SSL Checker) for www.update.microsoft.com and update.microsoft.com.

SSL certificates for the following domain names are also no more trusted, cause the chain of trust is broken:

www.update.microsoft.com
update.microsoft.com
v5.windowsupdate.microsoft.com
windowsupdate.microsoft.com

The SSL certificates associated to the following domain names are also no more trusted, cause they are pointing to a host not corresponding to the requested domain name (hosted on Akamai):

download.windowsupdate.com
download.microsoft.com
www.download.windowsupdate.com

With KB-2718704 installed on an up2date Windows XP SP3, only “www.update.microsoft.com“ domain could be considered as trusted, if you use Internet Explorer.

But despite the installation of KB-2718704, the following domains are still invalid:

update.microsoft.com
v5.windowsupdate.microsoft.com
windowsupdate.microsoft.com
download.windowsupdate.com
download.microsoft.com

Here under some screenshots of different browsers and error messages.

[nggallery id=5]