For systems running Windows Vista or Windows 7, the Flame attackers had to use a combination of a forged certificate and an MD5 hash collision attack to gain access to targeted systems, explained Mike Reavey, senior director of Microsoft Security Response Center (MSRC) in a blog.
In all versions of Windows, the attacker needed to get the signed code onto the target system.
“This can be done if the client’s automatic update program receives the attacker’s signed package because such packages are trusted so long as they are signed with a Microsoft certificate. Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack”, Reavy explained.
Jonathan Ness with MSRC Engineering explained in another blog that by default the forged certificate would not work on Windows Vista or Windows 7, so the attackers had to perform an MD5 collision attack to forge a certificate that would be valid for code signing on Windows Vista and Windows 7.
Commenting on the Microsoft analysis, Paul Ducklin with Sophos explained: “In the Flame case, the attackers took a legitimate Microsoft certificate using MD5 for its hash and RSA-2048 for its public-key encryption. They then generated a similar-but-different certificate with the same MD5 hash. This means that the RSA-2048 signature from Microsoft's genuine certificate could be grafted into their forged certificate to make it appear valid.”
Because of the vulnerability of MD5, Ducklin advised readers not to use digital certificates that rely on MD5, but rather to use SHA-1 “as a minimum whether a cryptographic has is called for, and prefer SHA-2 if practicable.”