The SecureList summary was much more detailed:
<a href="http://www.securelist.com/en/blog/208193558/Gadget_in_the_middle_Flame_malware_spreading_vector_identified" rel="nofollow">http://www.securelist.com/en/blog/208193558/Gadget_in_the_mi...</a><p>Flame took advantage of WPAD, a little-known magical hostname (<a href="http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol" rel="nofollow">http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protoco...</a>) to do MITM attacks on the Windows Update servers.<p>Flame then installed 'WuSetupV.exe' with the description "Desktop Gadget Platform" "Allows you to display gadgets on your desktop".<p>What's amazing is that Windows Update doesn't require explicit validation of an update-only certificate chain. It seems like any certificate from the Microsoft root can certify updates (!).
This is like finding out the zombies have made it into the compound.<p>I wonder how big this hole is to fix. I also wonder, as many have, if this was written by an Intelligence agency and, if so, if they had access to Windows' source code.
It really was an unbelievable oversight to use the same certs in the Terminal Services activation system.<p>Quite a demonstration that even if you go to great pains to secure the code if you aren't careful with your credentials then it's for nothing.
> I guess the good news is that this wasn't done by cyber criminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency.<p>You mean the bad news.
Apparently the other tricky bit is that Windows can be set to auto-configure network proxies (presumably for enterprise support), so the infected host pretends to be the source of auto-config info in order to direct the other systems to connect through it to get to Windows Update. At which point the infected system can infect the package, which has been signed so it will auto-install.
Here we have an example of complexity arising from copy protection/licensing. It so happens that this complexity caused a security vulnerability which, when exploited on any one computer, affects close to a billion computers.<p>Is anyone else infuriated that a vulnerability like this exists in what is analogous to copy protection code?<p>In other words, if Microsoft had been spending more of their resources on making software work, instead of making software work only when you've proven you've paid for it, this particular issue would not exist.
Oh look, another scaremongering and purposely misleading article from F-Secure. This is starting to become a regular thing isn't it; I guess the recession must have hit them particularly hard.