Microsoft Security Response Center made a post yesterday that discusses how its products were misused as part of the Flame malware that has received a lot of media attention. As the malware is targeted towards very specific targets, most are not at risk. Microsoft’s analysis of the malware has found that components of Flame are signed by certificates that appear to come from Microsoft.
The Terminal Server Licensing Service allows customers to authorize remote desktop in the enterprise but it used an older algorithm that allowed exploitation to create certificates that could sign code as if it came from Microsoft.
Microsoft released Security Advisory 2718704 that explains how to revoke the certificates and block the software. A Windows Update will do this automatically. The Terminal Server Licensing Service has been updated to no longer issue certificates for code signing.
More details are available from Microsoft’s Security Research and Defense blog. You can read the full, formal announcement about these discoveries from the Microsoft Security Response Center blog.