Wednesday, June 13, 2012

http://spectrum.ieee.org/riskfactor/telecom/security/flame-ordered-to-flame-out/?utm_source=computerwise&utm_medium=email&utm_campaign=061312#.T9h_0yyImhk.mailto

"Flame's authors were able 'to generate a rogue Microsoft digital code-signing certificate that allowed them to distribute the malware to Windows computers as an update from Microsoft.' They accomplished this, ComputerWorld says, by using a previously unknown cryptographic collision attack on the MD5 encryption algorithm (Stevens and company demonstrated one method in 2008) which Microsoft security engineers explain in a blog post here."

So why didn't Microsoft patch a known hole that they warned everybody else about 4 years ago? And how secure will the Internet be when we all know that our software updates might actually be downloading viruses instead?  Thanks a lot Flame makers!

No comments: