According to a recent investigation by Microsoft, some components of the Flame worm were signed using forged certificates. With forged certificates, the worm makes the malware appear to be actually created and approved by Microsoft.

Mike Reavey, Senior Director of Microsoft's Security Response Center (MSRC), says that the malicious code was signed using the company's Terminal Server Licensing Service, which is used by corporate customers to authorize Remote Desktop services. Although he doesn't go into detail as to how the Flame developers were able to sign their code, he does say that it has to do with exploiting a weakness in "an older cryptography algorithm".

It is thought that Microsoft used the MD5 algorithm, which is now considered insecure, to sign these certificates. By using what is referred to as hash collisions, an attacker can create a fraudulent certificate that has the same MD5 hash as the official MS certificate. Then the attacker can use their second certificate to sign code which will be accepted as actually coming from MS itself. "The Terminal Server Licensing Service no longer issues certificates that allow code to be signed", added Reavey.

In total, three certificates are affected; these include two "Microsoft Enforced Licensing Intermediate PCA" certificates issued by "Microsoft Root Authority", and a "Microsoft Enforced Licensing Registration Authority CA (SHA1)" certificate from "Microsoft Root Certificate Authority". Microsoft has released an emergency patch for all supported versions of Windows which moves these certificates to the Untrusted Certificate Store, blocking software signed by the fake certificates.

Further information, including the thumbprints of the affected certificates, can be found in a TechNet blog post by MSRC Engineering team member Jonathan Ness.