Venafi has aggregated scanning data from the networks of 450 Global 2000 enterprises and discovered how frequently MD5-signed certificates are deployed – and it is quite often. This is hard data, not based on surveys and theory. And, the data is on more than just MS and self-signed certificates, it extends to VeriSign, GeoTrust and others.
Any organization that has certificates signed with the MD5 algorithm is at risk of a Flame-style attack.
Microsoft has done a great job of solving its MD5 problem, and it has done a decent job of convincing the world that the doors are closed. However, its patch and update does nothing to solve the problem related to ALL deployed certificates signed with MD5. Which, as pointed out above, include those issued by CAs such as VeriSign, GeoTrust and more.
Security researchers are saying that Flame doesn’t appear to pose a threat to corporate networks because it was crafted to spy on networks in the Middle East. This is like saying that people living in gang neighborhoods should not be concerned about AK-47s, because they were built for the battlefield.
If you were a hacker and you knew MD5 was easily compromised and that a certificate could get you past AV, what route would you take into a network? If you were responsible for security within an enterprise, how would you know where all of your weak certificates are located? An MS update won’t reveal this. If you have MD5, you have a problem.
So far, the news has been focused on the complexity of Flame itself. By being transparent on the Flame incident, Microsoft has proven to the world that weak certificates are the key to Flame-style compromises. Hackers know this, this is why there has been a trend toward certificate-based attacks starting with Stuxnet, Duqu and now Flame.