Sep 6, 2011 3:17 PM
Volunteer Moderator Leeds, UK
No PM's please
Hackers have stolen a digital certificate from a Dutch company, DigiNotar, which could potentially be used to compromise communications between any Windows platform and microsoft.com. Microsoft has moved quickly to update the certificate store automatically on computers running Windows 7 and Vista, but users with XP will have to wait for a special update to be released. Unless this is a Critical update it may be ignored by many users, leaving their systems potentially at risk. Microsoft said in a special Security blog this week :
Last week, we released Security Advisory 2607712, notifying customers that fraudulent digital certificates had been issued by certificate authority DigiNotar.
We’d like to follow up on that notification in this blog post by explaining more about the potential risks and actions you can take to protect yourself from any potential attacks that would leverage those fraudulent certificates.
The background story to this can be found in a ComputerWorld article, "Microsoft: Stolen SSL certs can't be used to install malware via Windows Update".
Microsoft has issued details of how to remove the certificates from the Trusted Root Certification Authorities store for users running XP : the details of how to do this are contained in a Microsoft Security Research & Defense blog - "Protecting yourself from attacks that leverage fraudulent DigiNotar digital certificates".
The relevant section is below -
What Microsoft is doing to protect you on Windows XP and Windows Server 2003
We are currently preparing an update for Windows XP and Windows Server 2003 platforms which will add DigiNotar to our Untrusted Certificate Store. This update will be available soon.
What you can do to protect yourself
First, as indicated in the security advisory, we recommend keeping Microsoft software updated. If you’re able to do so, opt into Automatic Updates to automatically get the Windows XP and Windows Server 2003 updates when they become available.
Second, you can choose to delete the DigiNotar root from the root store manually. You might consider doing this if you believe the risk to your network or system is urgent and you would like to take action before the Windows XP and Windows Server 2003 update becomes available.
After doing this, you’ll also need to clear the local cache. The steps for both removing the DigiNotar root from the trusted root CA store and clearing the cache are listed below.
Step 1: Remove the DigiNotar Root from the trusted root CA store
- Click Start, click Start Search, type mmc, and then press ENTER.
- On the File menu, click Add/Remove Snap-in
- Under Available snap-ins, click Certificates, and then click Add
- Under This snap-in will always manage certificates for, click Computer account, and then click Next
- Click Local computer, and click Finish
- If you have no more snap-ins to add to the console, click OK
- In the console tree, double-click Certificates
- Double-click the Trusted Root Certification Authorities store and click on Certificates to view all certificates in the store
- Select the two DigiNotar Root CA certificates. You can confirm the right certificates by checking their thumbprints which should be “c0 60 ed 44 cb d8 81 bd 0e f8 6c 0b a2 87 dd cf 81 67 47 8c” and “43 d9 bc b5 68 e0 39 d0 73 a7 4a 71 d8 51 1f 74 76 08 9c c3”
- Right-click the certificates and select Delete
To perform the above steps from the command-line, you can use the certutil.exe tools as follows:
- certutil -delstore authroot “c0 60 ed 44 cb d8 81 bd 0e f8 6c 0b a2 87 dd cf 81 67 47 8c”
- certutil -delstore authroot “43 d9 bc b5 68 e0 39 d0 73 a7 4a 71 d8 51 1f 74 76 08 9c c3”
Message was edited by: Hayton on 06/09/11 21:17:16 IST
Update, September 6 :
Microsoft have today pushed a High-Priority Update out to XP users as well as to those running Windows 7 and Vista. The details are in a Computerworld article HERE.
Microsoft today updated Windows to permanently block all digital certificates issued by a Dutch company that was hacked months ago.
The update -- the second for Windows Vista and Windows 7, but the first for the decade-old Windows XP -- moves all DigiNotar SSL (secure socket layer) certificates to Windows' block list, dubbed the Untrusted Certificate Store. Microsoft's Internet Explorer (IE) uses that list to bar the browser from reaching sites secured with dubious certificates.
The Windows update will be automatically downloaded and installed to machines that have Windows Update's Automatic Update enabled, Microsoft said in a security advisory.
Microsoft's Dutch customers, however, won't see the update for another week.
Google and Mozilla have already updated their browsers to block all DigiNotar certificates. The former shipped a new version of Chrome on Saturday, while the latter updated Firefox 6 and Firefox 3.6 today.