Microsoft Revokes Own Certificates

Thursday, July 12, 2012 @ 01:07 PM gHale


In the wake of Flame, which used a fraudulent Microsoft digital certificate, the software giant found almost 30 that are not as secure so they revoked them.

Microsoft did not say where the now-untrusted certificates saw use, but company officials said there were 28 certificates affected by the move. Quite a few of the affected certificates list simply as “Microsoft Online Svcs.” However, the company said it was confident none of them suffered a compromise or ended up used maliciously. The move to revoke trust in these certificates is a direct result of the investigation into the Flame malware and how the attackers were able to forge a Microsoft certificate and then use it to impersonate a Windows Update server.

RELATED STORIES
Digitally Signed Malware Growing
Grid Security Teeters on Edge
Security Discord between CEO, CISO
Smart Grid Needs More Security

“As a continuation of this effort, we reviewed a number of Microsoft digital certificates and found several which do not meet our standards for security practices,” Gerardo Di Giacomo and Jonathan Ness of the Microsoft Security Response Center wrote in an explanation of the change. “As an extra precautionary measure, we released Security Advisory 2728973 today to announce the availability of a Critical, non-security update that moves several of these certificates into the Untrusted Certificate Store. None of the certificates involved are known to have been breached, compromised, or otherwise misused. This is a pre-emptive cleanup to ensure a high bar for any certificates owned by Microsoft.”

During the analysis of the Flame malware, researchers discovered one of the features of the worm was its use of a forged Microsoft certificate. The attackers used that certificate to set up a seemingly valid Windows Update server inside an infected organization and then have clients connect to the server, ostensibly for Microsoft updates, and then install the Flame malware on those machines.

That led to several changes in the way Microsoft handles certificates, and the revocation of trust in several of its own certificates is one of the more dramatic results. Several weeks ago the company said it would be releasing a mechanism for Windows that would automatically update the status of certificates in the certificate store. That was an optional update for Windows, but Microsoft changed that to a critical, non-security update, which means it will install automatically on most machines.

“This new feature provides dynamic updates, allowing Windows clients to be updated with untrusted certificates once per day without requiring user interaction,” Di Giacomo and Ness wrote.



Leave a Reply

You must be logged in to post a comment.