News

Microsoft Revokes All DigiNotar Digital Certificates, Reissues Security Advisory

• By Kurt Mackie
• 09/06/2011

Microsoft, Google and Mozilla have revoked all digital certificates from Dutch certificate authority firm DigiNotar as a security measure.

Microsoft revised an Aug. 29 security advisory today to address the evolving situation. Initially, the problem was just associated with two fraudulent certificates affecting Google's domains, but the issue escalated from there.

DigiNotar's delayed responses, explanations and apparently lax security measures led to a complete revocation of all of its certificates by the three browser makers. An account provided in a Mozilla blog post indicated that DigiNotar had failed to tell Mozilla about revoking some certificates for six months' time. Mozilla later revoked all of the DigiNotar certificates after getting a vote of no confidence from the Dutch government. More than 200 fraudulent certificates had been issued for more than 20 different domains, according to Mozilla's blog.

Google, in its announcement, also cited the actions of the Dutch government and other browser makers as a reason to block the DigiNotar certificates.

Microsoft indicated in a blog post today that it was updating Security Advisory 2607712 to revoke all five DigiNotar certificates. Its security team advised those who don't use Microsoft's automatic update service to apply this security patch manually, which has been updated to add support for Windows XP and Windows Server 2003. Otherwise, no actions by Windows users need be taken as the patch will be delivered automatically.

Microsoft provides further guidance on steps Windows users can take to protect against the fraudulent DigiNotar certificates in this TechNet blog post.

Windows XP and Windows Server 2003 use a more static list for digital certificates compared with newer Windows versions, Microsoft explained in the TechNet blog. Windows XP originally didn't include DigiNotar's certificates as part of the trusted root certificate authorities. However, those who applied "Update for Root Certificates," or the Knowledge Base 931125 patch, got the DigiNotar update and need to apply Microsoft's new out-of-band patch.

Those exposed to the fraudulent DigiNotar certificates could be subject to phishing attacks or man-in-the-middle attacks, as well as spoofed Web content, Microsoft indicated. While the google.com domain was initially affected, fake certificates were also issued for Microsoft domains, such as microsoft.com, windowsupdate.com and www.update.microsoft.com.

However, Microsoft claims in its TechNet blog post that malware can't be delivered through Windows Update, despite any fraudulent DigiNotar certificates that may be circulating.

"Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers," the blog states. "The Windows Update client will only install binary payloads signed by the actual Microsoft root CA certificate, which is issued and secured by Microsoft. Also, Windows Update itself is not at risk, even to an attacker with a fraudulent certificate."

The fraudulent certificates are a general security problem. They aren't associated with a flaw in Microsoft's software, but the company described the issue as affecting all supported Windows versions and users of Internet Explorer as well as other browsers. Windows Phone and Windows Mobile operating systems aren't affected by this security issue.

The problem has hit the Dutch government hard as it used a DigiNotar affiliate to help ensure certificate trust on its government site domains. While Microsoft will deliver this security patch through its automatic update service, Dutch users will not get the patch for a week. The delay will give the Dutch government some time to get new certificates for its sites. According to an Associated Press account, the Dutch government took control of DigiNotar's operations on Sept. 3 and is investigating the company for "criminal negligence."

DigiNotar may soon no longer be a "valid entity," according to Andrew Storms, director of security operations at nCircle. He noted that the Dutch government issued an announcement that its own Web sites could not be trusted.

"I'm sure the Dutch government is learning a hard, but important lesson from this ongoing fiasco," Storms said in a released statement. "Trusting DigiNotar's critical online infrastructure role without spending the time to independently audit their operations has undoubtedly cost the Dutch government a lot of time and money. It has certainly caused a great deal of international embarrassment."

DigiNotar is a Dutch certificate authority company that's currently owned by Chicago-based Vasco, a provider of authentication and digital signature solutions. In a statement posted on Monday, T. Kendall Hunt, chairman and CEO of Vasco Data Security, claimed that Vasco acquired DigiNotar in January and planned to integrate it in 2012. He also claimed that "all VASCO products in the market today are 100% DigiNotar-free."

The Associated Press account noted that an unidentified hacker associated with Iran and the earlier Comodo Group certificate fraud is claiming credit for this DigiNotar certificate fraud. News accounts are speculating that the fraudulent certificates may have been used for domestic spying in Iran or for international espionage.