Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Microsoft Windows Update not vulnerable to DigiNotar SSL hack

Software giant claims patch system secure against malware distribution

Article comments

Microsoft says that a digital certificate stolen from Dutch company DigiNotar could not be used to force-feed customers malware through its Windows Update service.

The company's assertion came after a massive theft of more than 500 SSL (secure socket layer) certificates, including several that could be used to impersonate Microsoft's update services, was revealed by Dutch authorities and several other affected developers.

"Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers," said Jonathan Ness, an engineer with the Microsoft Security Response Center. "The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued and secured by Microsoft."

Microsoft domains caught in trawl

Seven of the 531 certificates now known to have been fraudulently obtained by hackers in July were for the domains update.microsoft.com and windowsupdate.com, while another six were for *.microsoft.com.

According to Microsoft, the certificates issued for windowsupdate.com couldn't be used by attackers because the company no longer uses that domain. However, those for update.microsoft.com, the domain for Microsoft Update, and the wildcard *.microsoft.com could be.

As Ness said, updates delivered via Microsoft's services are signed with a separate certificate that's closely held by the company. Without that code-signing certificate, attempts to deliver malware disguised as an update to a Windows PC would fail.

Other vendors, including Apple, also sign software updates with a separate certificate.

DigiNotar hack

The certificates for the various Microsoft domains were issued by DigiNotar, a Dutch company that last week admitted its network had been hacked in mid-July.

The company initially believed it had revoked all the fraudulent certificates, but later realised it had overlooked one that could be used to impersonate any Google service, including Gmail. DigiNotar went public only after users reported their findings to Google.

Criminals or governments could use the stolen certificates to conduct "man-in-the-middle" attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly intercepted.

Permanent block

Microsoft has added its voice to the chorus from rival browser makers, notably Google and Mozilla, about the seriousness of the situation. Like its competitors, Microsoft will also permanently block all DigiNotar certificates.

"We are in the process of moving all DigiNotar owned or managed [certificate authorities] to the Untrusted Root Store, which will deny access to any website using DigiNotar certificates," said Dave Forstrom, a director in the Microsoft Trustworthy Computing group.

Forstrom did not set a date by when Microsoft would block all DigiNotar certificates, including those used by the Dutch government, which has been a major customer of the company. Google updated Chrome on Saturday to block all DigiNotar certificates, while Mozilla plans to do the same on Tuesday for Firefox.

However, Microsoft's partial ban of DigiNotar certificates which it instituted last week and the complete sanction now in the works only protect users running Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2.

Customers still on Windows XP or Windows Server 2003 must wait for an update specific to those operating systems. Ness said only that that update would "be available soon."

Until that Windows XP update is available, users can protect themselves by manually deleting the DigiNotar root from the list of approved certificate-issuing authorities. Microsoft has posted lengthy instructions for doing that on its Security Research & Defense blog.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *