Hackers have stolen a digital certificate from a Dutch company, DigiNotar, which could potentially be used to compromise communications between any Windows platform and microsoft.com. Microsoft has moved quickly to update the certificate store automatically on computers running Windows 7 and Vista, but users with XP will have to wait for a special update to be released. Unless this is a Critical update it may be ignored by many users, leaving their systems potentially at risk. Microsoft said in a special Security blog this week :
Last week, we released Security Advisory 2607712, notifying customers that fraudulent digital certificates had been issued by certificate authority DigiNotar.
We’d like to follow up on that notification in this blog post by explaining more about the potential risks and actions you can take to protect yourself from any potential attacks that would leverage those fraudulent certificates.
The background story to this can be found in a ComputerWorld article, "Microsoft: Stolen SSL certs can't be used to install malware via Windows Update".
Microsoft has issued details of how to remove the certificates from the Trusted Root Certification Authorities store for users running XP : the details of how to do this are contained in a Microsoft Security Research & Defense blog - "Protecting yourself from attacks that leverage fraudulent DigiNotar digital certificates".
The relevant section is below -
What Microsoft is doing to protect you on Windows XP and Windows Server 2003
We are currently preparing an update for Windows XP and Windows Server 2003 platforms which will add DigiNotar to our Untrusted Certificate Store. This update will be available soon.
What you can do to protect yourself
First, as indicated in the security advisory, we recommend keeping Microsoft software updated. If you’re able to do so, opt into Automatic Updates to automatically get the Windows XP and Windows Server 2003 updates when they become available.
Second, you can choose to delete the DigiNotar root from the root store manually. You might consider doing this if you believe the risk to your network or system is urgent and you would like to take action before the Windows XP and Windows Server 2003 update becomes available.
After doing this, you’ll also need to clear the local cache. The steps for both removing the DigiNotar root from the trusted root CA store and clearing the cache are listed below.
Step 1: Remove the DigiNotar Root from the trusted root CA store
- Click Start, click Start Search, type mmc, and then press ENTER.
- On the File menu, click Add/Remove Snap-in
- Under Available snap-ins, click Certificates, and then click Add
- Under This snap-in will always manage certificates for, click Computer account, and then click Next
- Click Local computer, and click Finish
- If you have no more snap-ins to add to the console, click OK
- In the console tree, double-click Certificates
- Double-click the Trusted Root Certification Authorities store and click on Certificates to view all certificates in the store
- Select the two DigiNotar Root CA certificates. You can confirm the right certificates by checking their thumbprints which should be “c0 60 ed 44 cb d8 81 bd 0e f8 6c 0b a2 87 dd cf 81 67 47 8c” and “43 d9 bc b5 68 e0 39 d0 73 a7 4a 71 d8 51 1f 74 76 08 9c c3”
- Right-click the certificates and select Delete
To perform the above steps from the command-line, you can use the certutil.exe tools as follows:
- certutil -delstore authroot “c0 60 ed 44 cb d8 81 bd 0e f8 6c 0b a2 87 dd cf 81 67 47 8c”
- certutil -delstore authroot “43 d9 bc b5 68 e0 39 d0 73 a7 4a 71 d8 51 1f 74 76 08 9c c3”
Message was edited by: Hayton on 06/09/11 21:17:16 IST