Flame: Replication via Windows Update MITM proxy server

Why the obsolete Issuer Unique Identifier?

Keep up the brilliant work — very helpful analyses and well-written as well.

Today Microsoft staff provides a somewhat puzzling explanation on this same topic from their perspective (http://blogs.technet.com/b/srd/archive/2012/06.aspx) — the certificate had ‘irregularites’ (no X.509 extension fields as do certificates issued from the Terminal Server licensing infrastructure, so no Certificate Revocation List (CRL) Distribution Point (CDP) extension, no Authority Information Access (AIA) extension, and no Microsoft Hydra extension set to ‘critical’.

Yet using a certutil.exe dump, MS analysts found these fields within the ‘obsolete’ Issuer Unique Identifier: the X.509V3 extension field at byte offset 0x119, the CDP CRL at offset 0x161, the AIA at offset 0x226, and Hydra at 0x35b.

Why then was the ‘obsolete’ Issuer Unique Identifier present in the first place; it seems Flame was not aware that of these offset fields and that the parameter for Vista there.

You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply

Powered by WordPress | Designed by: Premium WordPress Themes | Thanks to Themes Gallery, Bromoney and Wordpress Themes