Microsoft takes security seriously. We know this because they apply a huge amount of resource to improving security in their products and systems. Additionally, it has been an area of focus of theirs for a while.
Microsoft issued digital certificates in 2009 using MD5 technology, which they themselves told people in 2008, not to use. They used these certificates in the licensing and update systems for one of their products. The MD5 based certificates were proven to be breakable in 2005.
"Certificates are a foundational part of the internet security infrastructure. Certificates protect data as it moves throughout the internet and they identify and represent that an application or a machine is what it says it is (authentication). Without certificates we would not have ecommerce, secure communications, and most of the other facilities that the world relies on today."
The attackers used these breakable MD5 certificates to open doors in the targeted networks. They broke the MD5 certificates and manufactured fraudulent copies. Using the fraudulent copies the attackers executed a man-in-the-middle attack which in effect created a wide open door into their targets. Through these open doors, they installed the Flame malware. MD5 based certificates were the open door, or attack vector, that allowed Flame to work. Microsoft closed the door by rendering the Microsoft specific MD5 certificates, invalid.
They closed THEIR door, but they did not close any other doors, including many that are on your network now. The really bad part of this whole situation is that Flame has received intense and ongoing attention in the media worldwide. Every attacker is contemplating how they use these open doors in their attacks.
Further, we know that the open doors exist throughout the Global 2000. We have current data from scans of the G2000 showing that 17.4 % of certificates in the Global 2000 use MD5 hash algorithms and are therefore open doors. This is not speculation, theoretical, or hypothetical. The doors are open now.
We have been informed by a number of the G2000 companies that their legal and risk departments are mandating that MD5 certificates be removed from the network. There are a number of rather severe consequences if one knowingly leaves doors open that could compromise customer, patient, or financial data. And that is not the biggest risk. Imagine your most valuable data. What would happen if it was stolen? Know that attackers will use the currently open doors on your network to go after your most valuable data.
"Certificates are a bit of a mystery to almost everyone on this planet except for technologists that work with them. Because of non-understanding, certificates are mismanaged just about everywhere. Even at Microsoft, they used certificates that by their own admission were known to be breakable in 2005. This is a classic case of poor certificate management."
Also please realize that IDS, IPS, firewalls, AVs and other security measures do not address these open doors on your network. You need to take specific action immediately.
What do you need to do about the open doors on your network today?
- Locate the MD5 based certificates on your network:
Priority - High - Remove them or replace with acceptable technology like SHA1 and SHA2
Priority - High - Establish a centralized management system for tracking and managing certificates so that the weak certificates or certificates that do not conform to your policies do not reappear on your network
Priority - High
In summary, there are known open doors on your network right now. Before you do anything else, find out where they are and close them. Then put a system in place that will make sure they stay closed.
Read the Venafi Security Alert: MD5 Vulnerability and learn more about how to identify your MD5 certificates.