Microsoft patches SSL security threat

Worldwide patch deems all DigiNotar SSL certificates to be untrustworthy except for operating systems in The Netherlands

Microsoft is rolling out a worldwide patch that deems all DigiNotar SSL certificates to be untrustworthy except for OSes in the Netherlands, as requested by the Dutch government.

All certificates issued by DigiNotar, a Dutch provider of Secure Socket Layer (SSL) certificates, are untrustworthy Microsoft concluded after an investigation into the matter. The certificates are to be moved to the Untrusted Certificate List Tuesday.

The patch fixes the problem for all versions of Windows and Windows Server, including Windows XP and Server 2003, Dave Forstrom, director of Microsoft's Trustworthy Computing division, announced in a Security Advisory.

As of Aug. 29 the Certificate Trust List (CTL) was revised to remove DigiNotar from the list of Certificate Authorities (CAs). That list, with valid root certificates, is automatically updated for Windows Vista, Windows 7 and Windows Server 2008. Windows Vista and higher check every seven days for changes in the list, so the last time these OSes were vulnerable for the 500 rogue DigiNotar certificates was Sept. 5, Microsoft stated.

Windows XP and Windows Server 2003 work with a static list that has to be updated trough a security patch. "We have extended our support with this update so all customers using Windows XP, Windows Server 2003, and all Windows supported third-party applications are protected," Forstrom wrote. After this update, all DigiNotar certificates are no longer trusted for HTTPS connections.

The patch will be rolled out worldwide Tuesday with one exception. By government request Microsoft has refrained from patching the OSes in the Netherlands, the company said in a Dutch press release. "At the explicit request of the Dutch government, Microsoft has decided not to automatically execute the update for the Netherlands," Microsoft Netherlands stated.

The week-old CTL update only revoked a part of the DigiNotar certificates. As of Tuesday it also includes certificates from the "PKIoverheid" root used by the Dutch government and certain companies. The Dutch government requested a delay for the update because it wants to give organizations and businesses the chance to replace the certificates. The Dutch government banned DigiNotar themselves in a very rare nightly press conference Friday night local time. Administrators that want to patch their systems can do this themselves by following instructions issued by Microsoft.

The DigiNotar hack was claimed by "Comodohacker" in a posting Monday on Pastebin. Comodohacker claimed to breach DigiNotar to punish the Dutch government for the actions of its soldiers in Srebrenica, where 8,000 Muslims were killed by Serbian forces in 1995 during the Bosnian War.

More than 500 fraudulent SSL certificates were issued by DigiNotar after its systems were breached. A report released on Monday by DigiNotar's auditor, Fox-IT, found that more than 300,000 mostly Iranian unique IP addresses may have accessed Google account information under the fraudulent certificate, meaning the data exchanged with Google could have been intercepted.

Tags securityMicrosoft

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Loek Essers

IDG News Service

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?