Microsoft issues patch to revoke Windows DigiNotar certificates

By Tom Warren, on 7th Sep 11 1:49 pm with 14 Comments

Microsoft issued a patch on Tuesday to disable fake DigiNotar certificates from supported versions of Windows.

The certificates were issued by a trusted Certificate Authority (CA) during July. Dutch certificate authority DigiNotar issued a number of fraudulent certificates for Google, Microsoft Yahoo, Mozilla and WordPress domains. The first reports of the DigiNotar certificate misuse were discovered publicly on August 28 after a number of GMail users in iran reported issues accessing the service. Subsequently, it was revealed that DigiNotar issued a certificate for google.com to individuals in Iran.

Microsoft took steps to protect Windows users from the fake certificates. The software giant released a security advisory on August 29 and removed the DigiNotar root certificate from the Microsoft Certificate Trust List. The update was made available to Windows Vista users above via the company’s Internet Explorer browser. Microsoft has now gone one step further. The initial update on August 29 meant that users who accessed a Web site that was signed by an untrusted DigiNotar root certificate would be presented with a warning message about the certificate validity. Users could still click through and access the site however. “In order to protect customers more comprehensively against possible man-in-the-middle attacks, Microsoft is releasing an update that takes additional measures to protect customers by completely preventing Internet Explorer users from accessing resources of Web sites that contained certificates signed by the untrusted DigiNotar root certificates,” said a Microsoft spokesperson. The new update will not allow users to access websites that use any fake DigiNotar certificates.

The DigiNotar breach may have spread to another European Certificate Authority. GlobalSign warned on Tuesday that the individual responsible for the fraudulent Comodo certificates earlier this year and the recent DigiNotar attack has claimed he had access to four further high profile Certificate Authorities. “GlobalSign takes this claim very seriously and is currently investigating,” said a spokesperson in a statement on Tuesday. “As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete.”

The fake certificates could have been used to snoop on HTTPS conversations. Microsoft explains that for an attack to be successful, the attacker would need to perform a man-in-the-middle attack in one of the following ways:

  • The attacker is on your local network (open wireless network, for example);
  • The attacker owns or operates the network infrastructure between the victim client and the listening server; or
  • The attacker controls the DNS server used by your ISP, or can influence your choice of DNS server via DHCP responses if a client gets DNS settings via DHCP.
  • Aaron

    Removing the DigiNotar root certificate is a great move on Microsoft’s part.  Hopefully the other certificate authorities will learn DigiNotar’s lesson and make sure they have good security in place that justifies the trust users ought to be able to place on HTTPS sites.

    • Gzproger

      DigiNotar did a good job of destroying Microsoft’s dignity. Most people don’t understand the public key infrastructure and simply blame Microsoft for this kind of issues. :(

  • Aaron

    I’m wondering if we will see the same ignorant trolls come out and brag about how insecure M$ Windows is based on this story.  It’s sad when trolls don’t understand the nature or cause of a vulnerability.

    • http://twitter.com/OldCongress Gamer

      Ignore them, they are one of those iSheeps.

    • Frylockns86

      Apple has yet to acknowledge the issue…. Hehe, snicker snicker.

    • Guest

      At least Apple doesn’t get thousands of viruses by just going online! HAHAHAHAHAHA! I can sit here with my iPad all day and not get one, unlike Winblows 7. And I don’t need to run registry cleaners, antiviruse, antispyware just to run my iPad.

    • http://twitter.com/ParkerReno Parker Ciambrone

      So MacDefender was a real program?

    • Wings1976

      Keep drinking that Apple kool-aid. 

    • Anonymous

      i wish there would be some way to block this guys IP, its the same idiot comment that he has posted from last days, change few words, yeah but the message its the same… pretty stupid. but its annoying how someone so ignorant dont know about tech but still mention windows and viruses. if he thinks he is secure… omg… like if noone could steal his info, bank stuff and such just for using an Ipad, which i think its worse than a virus, and still, common sense dont let virus in.

      at least im glad about “antiviruse” you know… that word doesn’t exist ;)

    • Aaron

      Don’t take this guy seriously.  Honestly, I think he is trolling for our side by trying to make Apple fan boys looks very stupid.

    • Aaron

      Don’t take this guy seriously.  Honestly, I think he is trolling for our side by trying to make Apple fan boys looks very stupid.

    • http://www.facebook.com/people/Dxtsasuke-Uchiha/100000763596065 Dxtsasuke Uchiha

      Oh yeah enjoy bootcamping windows 7 on your beloved machine.

    • Guest

      Dude, you *are* a virus.

    • Gzproger

      There are two choices for a OS:
      1) not including any root CA certs at all, let users install what ever they trust
      2) include some root CA certs like MS is doing

      If an OS choose 1), then it must make installing root CA certs easy and smooth, which make it super easy for bad guys to spoof end users.

      That’s why all major OS choose 2). The problem with Windows is that one of the pre-trusted CA company become a bad guy.  Who knows next time which CA company will do bad things?