Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Microsoft patches SSL security threat

Worldwide patch deems all DigiNotar SSL certificates to be untrustworthy except for operating systems in The Netherlands

Microsoft is rolling out a worldwide patch that deems all DigiNotar SSL certificates to be untrustworthy except for OSes in the Netherlands, as requested by the Dutch government.

All certificates issued by DigiNotar, a Dutch provider of Secure Socket Layer (SSL) certificates, are untrustworthy Microsoft concluded after an investigation into the matter. The certificates are to be moved to the Untrusted Certificate List Tuesday.

The patch fixes the problem for all versions of Windows and Windows Server, including Windows XP and Server 2003, Dave Forstrom, director of Microsoft's Trustworthy Computing division, announced in a Security Advisory.

As of Aug. 29 the Certificate Trust List (CTL) was revised to remove DigiNotar from the list of Certificate Authorities (CAs). That list, with valid root certificates, is automatically updated for Windows Vista, Windows 7 and Windows Server 2008. Windows Vista and higher check every seven days for changes in the list, so the last time these OSes were vulnerable for the 500 rogue DigiNotar certificates was Sept. 5, Microsoft stated.

Windows XP and Windows Server 2003 work with a static list that has to be updated trough a security patch. "We have extended our support with this update so all customers using Windows XP, Windows Server 2003, and all Windows supported third-party applications are protected," Forstrom wrote. After this update, all DigiNotar certificates are no longer trusted for HTTPS connections.

The patch will be rolled out worldwide Tuesday with one exception. By government request Microsoft has refrained from patching the OSes in the Netherlands, the company said in a Dutch press release. "At the explicit request of the Dutch government, Microsoft has decided not to automatically execute the update for the Netherlands," Microsoft Netherlands stated.

The week-old CTL update only revoked a part of the DigiNotar certificates. As of Tuesday it also includes certificates from the "PKIoverheid" root used by the Dutch government and certain companies. The Dutch government requested a delay for the update because it wants to give organizations and businesses the chance to replace the certificates. The Dutch government banned DigiNotar themselves in a very rare nightly press conference Friday night local time. Administrators that want to patch their systems can do this themselves by following instructions issued by Microsoft.

The DigiNotar hack was claimed by "Comodohacker" in a posting Monday on Pastebin. Comodohacker claimed to breach DigiNotar to punish the Dutch government for the actions of its soldiers in Srebrenica, where 8,000 Muslims were killed by Serbian forces in 1995 during the Bosnian War.

More than 500 fraudulent SSL certificates were issued by DigiNotar after its systems were breached. A report released on Monday by DigiNotar's auditor, Fox-IT, found that more than 300,000 mostly Iranian unique IP addresses may have accessed Google account information under the fraudulent certificate, meaning the data exchanged with Google could have been intercepted.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Google, Microsoft, Socket
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Microsoft, security
Latest Blog Posts
Whitepapers
  • Case Study: Svenska Kraftnät safeguards web and ensures communication security with Clearswift
    Energy producers from surrounding countries load power onto the Swedish National Grid’s network, with energy suppliers then paying the Swedish National Grid to load onto their grids for them to sell-on to customers. Using Clearswift’s Email Appliance, and MIMEsweeper for SMTP means that the organisation has safe and resilient email helping them to meet their goal of providing a safe, robust, cost-effective and environmentally sound energy transmission system.
    Learn more »
  • Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives
    Service-oriented architecture (SOA) has moved beyond hype to widespread acceptance as an IT strategy for delivering business value. SOA promotes the notion of modularity, providing overwhelming flexibility and superior economics for addressing business demands. However, undertaking the transformation to SOA is not without its challenges. If left unchecked, your inventory of SOA assets will become unmanageable; the reuse of services will diminish in favor of custom development; or even worse, modifications will be made to your existing services that break other business processes. The purpose of SOA governance is to help you ensure that this does not happen. This paper outlines the most compelling reasons for you to establish SOA governance within your organization.
    Learn more »
  • Business Intelligence Best Practices for Dashboard Design
    Even if a dashboard’s appearance looks professional and is aesthetically pleasing, appearances can be deceiving. Although visual design is important, it is also important to ask yourself: Is the data reliable? Is it timely? Is any data missing? Is it consistent across all dashboards?. This paper offers an overview of best practice business intelligence (BI) dashboard design principles and discusses data integration options for getting data into a dashboard.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments