More details in the MS technet post:
<quote>
We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.<p>We are taking several steps to remove this risk:<p>• First, today we released a Security Advisory outlining steps our customers can take to block software signed by these unauthorized certificates.<p>• Second, we released an update that automatically takes this step for our customers.<p>• Third, the Terminal Server Licensing Service no longer issues certificates that allow code to be signed.
</quote><p><a href="http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx" rel="nofollow">http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft...</a>
A little more detail:
<a href="http://www.securityweek.com/microsoft-unauthorized-certificate-was-used-sign-flame-malware" rel="nofollow">http://www.securityweek.com/microsoft-unauthorized-certifica...</a>
It would be useful to solve the mystery of how the chain of trust was compromised.<p>Was a Microsoft employee involved?<p>Can't we have some sort of chain of trust beyond the reach of sovereign governments?
Doesn't surprise me.<p>Certificate signing is only as good as the weakest points which are 1) humans, 2) code, 3) maths respectively.<p>You can't trust (1), ever.<p>(2) is flawed by the fact that (1) made it.<p>(3) is pretty good but relies on a few assumptions which we appear to arrogant enough to assume will always stand.