Microsoft issued a patch on Tuesday to disable fake DigiNotar certificates from supported versions of Windows.
The certificates were issued by a trusted Certificate Authority (CA) during July. Dutch certificate authority DigiNotar issued a number of fraudulent certificates for Google, Microsoft Yahoo, Mozilla and WordPress domains. The first reports of the DigiNotar certificate misuse were discovered publicly on August 28 after a number of GMail users in iran reported issues accessing the service. Subsequently, it was revealed that DigiNotar issued a certificate for google.com to individuals in Iran.
Microsoft took steps to protect Windows users from the fake certificates. The software giant released a security advisory on August 29 and removed the DigiNotar root certificate from the Microsoft Certificate Trust List. The update was made available to Windows Vista users above via the company’s Internet Explorer browser. Microsoft has now gone one step further. The initial update on August 29 meant that users who accessed a Web site that was signed by an untrusted DigiNotar root certificate would be presented with a warning message about the certificate validity. Users could still click through and access the site however. “In order to protect customers more comprehensively against possible man-in-the-middle attacks, Microsoft is releasing an update that takes additional measures to protect customers by completely preventing Internet Explorer users from accessing resources of Web sites that contained certificates signed by the untrusted DigiNotar root certificates,” said a Microsoft spokesperson. The new update will not allow users to access websites that use any fake DigiNotar certificates.
The DigiNotar breach may have spread to another European Certificate Authority. GlobalSign warned on Tuesday that the individual responsible for the fraudulent Comodo certificates earlier this year and the recent DigiNotar attack has claimed he had access to four further high profile Certificate Authorities. “GlobalSign takes this claim very seriously and is currently investigating,” said a spokesperson in a statement on Tuesday. “As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete.”
The fake certificates could have been used to snoop on HTTPS conversations. Microsoft explains that for an attack to be successful, the attacker would need to perform a man-in-the-middle attack in one of the following ways:
- The attacker is on your local network (open wireless network, for example);
- The attacker owns or operates the network infrastructure between the victim client and the listening server; or
- The attacker controls the DNS server used by your ISP, or can influence your choice of DNS server via DHCP responses if a client gets DNS settings via DHCP.