[semenko]

Maybe:

1. The certificate appeared to be available to anyone who was looking hard enough. Microsoft provided the misconfigured certificate to anyone activating their Terminal Services product (!). Pretty embarrassing.

2. It's not evident what the signing requirements are for Microsoft Automatic Updates code (at least I can't find them). Presumably they validate an explicit Windows Update chain, but if they don't, this could perhaps enable an attacker to auto-install the Flame virus as an update. I doubt that would be the case, but their security announcements aren't very forthcoming.

[marshray]

The Windows Update signing requirements are, AFAICT, not documented and they do require a special chain. Whether having Microsoft in the root is special enough is another question.

Regardless, it appears that a signed driver is enough to pwn any modern Windows box via USB. "The system is installing driver software for your device..."

EDIT: What it most likely would work for over the network would be a man-in-the-middle attack on users who "Always trust ActiveX controls from Microsoft". Not to mention plain old impersonating websites for users of MSIE and Chrome.

A scary but plausible possibility is that an attacker with such a cert could forge client certificate credentials to obtain remote access via RDP, MS Terminal Services Gateway, ISS certificate mapping, etc.

[semenko]

F-Secure claims that this /would/ allow forgery of Windows Updates (!!): http://www.f-secure.com/weblog/archives/00002377.html

"...Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update system..."

[marshray]

Yep. It appears that, in fact, windows update has been pwned by these certs.

More info. https://www.securelist.com/en/blog/208193558/Gadget_in_the_m...

[anonymfus]

>Regardless, it appears that a signed driver is enough to pwn any modern Windows box via USB.

Via USB you can pwn any modern OS by implementing standard mouse, keyboard and display device classes.