Tuesday, September 6, 2011

Emergency Windows and Mozilla updates issued

Dutch certificate authority Diginotar was compromised recently, and as a result Microsoft has issued an out-of-cycle WIndows Update to remove them from the Trusted Certificates list.  If you use Internet Explorer (or Safari on Windows) as your preferred browser you need to apply this ASAP as one of the certificates that was spoofed is for *.google.com.   Firefox and Thunderbird have also been updated to version 6.0.2 to correct the same hack.  Chrome users whose browsers are current are protected, but if you use Firefox please check to see that you are running the latest version ASAP. 

Mac OS X and iOS (iPod, iPad, iPhone) users are especially at risk from this hack, as Apple has not issued a patch for it yet.  Technically-minded OS X/iOS users should search Google for instructions on how to remove Diginotar as a root authority from their browsers.

Google, Mozilla and Microsoft ban the DigiNotar Certificate Authority in their browsers | ZDNet

With the DigiNotar saga continuing, it’s time to summarize some of the current events surrounding it.

According to multiple blog posts, Google, Mozilla and Microsoft have already banned the DigiNotar Certificate Authority in their browsers. This preemptive move comes as a direct response to the mess that DigiNotar created by issuing over 200 rogue certificates for legitimate web sites and services — see a complete list of the affected sites and services.

Earlier this week, Google reported of attempted man-in-the-middle attacks executed against Google users, and most recently, TrendMicro offered insights into a large scale spying operation launched against Iranian web users.

Microsoft Security Advisory (2607712): Fraudulent Digital Certificates Could Allow Spoofing
Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store. A fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.

Microsoft is continuing to investigate this issue. Based on preliminary investigation, Microsoft is providing an update for all supported releases of Microsoft Windows that revokes the trust of the following DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store
Protecting yourself from attacks that leverage fraudulent DigiNotar digital certificates - Security Research & Defense - Site Home - TechNet Blogs

Last week, we released Security Advisory 2607712, notifying customers that fraudulent digital certificates had been issued by certificate authority DigiNotar. We’d like to follow up on that notification in this blog post by explaining more about the potential risks and actions you can take to protect yourself from any potential attacks that would leverage those fraudulent certificates.

ISC Diary | Microsoft Releases Diginotar Related Patch and Advisory
Microsoft updates Security Advisory 2607712 - MSRC - Site Home - TechNet Blogs

Today we’re updating Security Advisory 2607712,
to announce that based on our investigation, we’ve deemed all DigiNotar
certificates to be untrustworthy and have moved them to the Untrusted
Certificate Store. Additionally, we have extended our support with this
update so all customers using Windows XP, Windows Server 2003, and all
Windows supported third-party applications are protected.

update, deployed via Automatic Update, applies to all supported
releases of Microsoft Windows, and revokes the trust of the following
DigiNotar root certificates by placing them into the Microsoft Untrusted
Certificate Store:

No comments: