Submitted by Ken Dwight on
On June 3 Microsoft pushed out an "out-of-band" update for every supported version of the Windows Operating System. The term "out-of-band" designates an update that is released on a date other than the normal monthly Windows Updates, which are scheduled to be distributed on the second Tuesday of each month. Another apt description of these updates would be "Emergency Updates."
And in fact, that is exactly what this particular update represents. While there has been much talk about the Flame malware in the past few weeks, most of that discussion has been based on the idea that Flame is the most sophisticated, most complex malware ever produced.
It is seen as a successor to other widely-publicized malware including Stuxnet and Duqu. All three of these threats appear to be state-sponsored and are best known for targeting the nuclear reactors used in Iran. None of them seemed to threaten the average computer user in the United States.
In a startling revelation by Microsoft, the vendor disclosed that the vulnerability exploited by Flame could be used to turn Microsoft Update into a malware delivery mechanism. As Selena Frye puts it, in her IT Security blog, "Yikes and double yikes!"
Well-known and highly-regarded security researcher Mikko Hypponen calls this the "holy grail" of malware writers. He reports that Flame has managed to spoof Microsoft-signed digital certificates, creating the potential for man-in-the-middle attacks on the Microsoft Update system.
The full advisory from Microsoft is at this address: http://technet.microsoft.com/en-us/security/advisory/2718704, although this article does not sound the alarm bells as loudly as Frye and Hypponen do in their respective comments.
In any event, the solution to this new infection vector is to install the appropriate Windows Update immediately on all vulnerable computers. Until this step is taken, malware could infect an unpatched computer by masquerading as a normal Windows Update.