Flame Exploited Long-Known Flaw in MD5 Certificate Algorithm

Flame attackers' ability to forge a valid certificate for Windows Update should be a warning to companies to stop using the MD5 algorithm to issue security certificates.

By: Robert Lemos

A known weakness in the MD5 hash function gave the group behind the Flame malware an opportunity to forge a valid certificate for Microsoft's Windows Update service.

Yet while security researchers have known about the weakness for more than a decade, nearly every company today continues to use the MD5 hash function to secure its systems, one security vendor reports.

Certificate-management firm Venafi scanned 450 companies in the Global 2000 and found that every single one had MD5 certificates associated with their networks. In total, 17.4 percent of the certificates used to sign servers, code and VPN access still used the MD5 algorithm, the company found.

The continued use of the broken cryptographic hash algorithm puts the companies at risk, as cyber-criminals are expected to quickly adopt attacks against the MD5, now that Flame has demonstrated the possibilities, says Jeff Hudson, CEO of Venafi.

"We are going to all our customers and saying, you have to get MD5 off the network," Hudson says. "It's critically important, because ... the backdoor is wide open."

Microsoft issued an emergency patch on June 3 to invalidate the fake certificate, which resembled those issued by the company's Terminal Services Licensing server. Starting with Windows Vista, Microsoft signed its Windows Update with code signing certificates. The company mistakenly allowed its Terminal Services infrastructure to sign code. Any executable pushed to an unpatched system will be accepted as a valid Windows Update.

Security firm Kaspersky called the existence of the fake certificate-known as a collision in cryptographer's parlance-better than an undiscovered code flaw.

"What we've found now is better than any zero-day exploit," the company said in its own analysis. "It actually looks more like a 'god mode' cheat code-valid code signed by a keychain originating from Microsoft."

The existence of proof that MD5 collision attacks are practical should have companies rushing to expunge the flawed security measures from their networks, says Venafi's Hudson. Venafi scanned its own customers and the networks of prospects. It found certificates issued by various certificate authorities but also found a significant number of self-signed certificates, a common practice but one with additional dangers.

Calling its estimate that 17.4 percent of all certificates use the MD5 algorithm the "best-case" situation, Hudson expects that smaller companies are more likely to use MD5 and self-sign their certificates.

Venafi recommends that companies use SHA-1 to sign their certificates with a key length of 2048 bits. Intermediate and root certificates, such as Microsoft's Terminal Services certificate, should be 4096 bits or use the newer SHA-2 algorithm, even though support for that technology is lacking in some cases.