Microsoft patches SSL security threat

Worldwide patch deems all DigiNotar SSL certificates to be untrustworthy except for operating systems in The Netherlands
  • (IDG News Service)
  • 07 September, 2011 06:17

Microsoft is rolling out a worldwide patch that deems all DigiNotar SSL certificates to be untrustworthy except for OSes in the Netherlands, as requested by the Dutch government.

All certificates issued by DigiNotar, a Dutch provider of Secure Socket Layer (SSL) certificates, are untrustworthy Microsoft concluded after an investigation into the matter. The certificates are to be moved to the Untrusted Certificate List Tuesday.

The patch fixes the problem for all versions of Windows and Windows Server, including Windows XP and Server 2003, Dave Forstrom, director of Microsoft's Trustworthy Computing division, announced in a Security Advisory.

As of Aug. 29 the Certificate Trust List (CTL) was revised to remove DigiNotar from the list of Certificate Authorities (CAs). That list, with valid root certificates, is automatically updated for Windows Vista, Windows 7 and Windows Server 2008. Windows Vista and higher check every seven days for changes in the list, so the last time these OSes were vulnerable for the 500 rogue DigiNotar certificates was Sept. 5, Microsoft stated.

Windows XP and Windows Server 2003 work with a static list that has to be updated trough a security patch. "We have extended our support with this update so all customers using Windows XP, Windows Server 2003, and all Windows supported third-party applications are protected," Forstrom wrote. After this update, all DigiNotar certificates are no longer trusted for HTTPS connections.

The patch will be rolled out worldwide Tuesday with one exception. By government request Microsoft has refrained from patching the OSes in the Netherlands, the company said in a Dutch press release. "At the explicit request of the Dutch government, Microsoft has decided not to automatically execute the update for the Netherlands," Microsoft Netherlands stated.

The week-old CTL update only revoked a part of the DigiNotar certificates. As of Tuesday it also includes certificates from the "PKIoverheid" root used by the Dutch government and certain companies. The Dutch government requested a delay for the update because it wants to give organizations and businesses the chance to replace the certificates. The Dutch government banned DigiNotar themselves in a very rare nightly press conference Friday night local time. Administrators that want to patch their systems can do this themselves by following instructions issued by Microsoft.

The DigiNotar hack was claimed by "Comodohacker" in a posting Monday on Pastebin. Comodohacker claimed to breach DigiNotar to punish the Dutch government for the actions of its soldiers in Srebrenica, where 8,000 Muslims were killed by Serbian forces in 1995 during the Bosnian War.

More than 500 fraudulent SSL certificates were issued by DigiNotar after its systems were breached. A report released on Monday by DigiNotar's auditor, Fox-IT, found that more than 300,000 mostly Iranian unique IP addresses may have accessed Google account information under the fraudulent certificate, meaning the data exchanged with Google could have been intercepted.

More about: Google, Microsoft, Socket
References show all
Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: security, Microsoft
ARN Directory | Distributors relevant to this article
Aquion , Bluechip Infotech , Com1 International , Dicker Data , Express Data , ICT Distribution , Impact Systems Technology , Ingram Micro Australia , Leader Computers , Multimedia Technology , NewLease , Synnex Australia , Topstar Computer International , Wholesale IT , XiT Distribution
Get exclusive access to ARN's news, research and invitation only events.
ARN Distributor Directory
ARN Vendor Directory
Microsites

iAsset is a channel management ecosystem that automates all major aspects of the entire sales,marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

 
Computerworld
CIO
Techworld
CMO

Latest News

04:30PM
Broadband Solutions offers unified solution for hotel phone and web access
04:23PM
Liberal NBN plan unable to deliver tele-health: Jason Clare
03:01PM
TPG fined $400,000 for blocking triple O call
02:44PM
Public Cloud benefits can no longer be ignored: Bulletproof
More News
24 Apr
The China Healthcare ICT Conference 2014
05 May
CeBIT Australia 2014
06 May
Oracle Day 2014 - Across 2 Cities
06 May
Oracle Day 2014 - Across 2 Cities
View all events