Tuesday, September 20, 2011

Re-release of Diginotar SSL fix for XP, Windows 2003 Server

If you are still running XP and you apply updates manually, download and re-install KB2616676 manually - re-running Windows Update will NOT apply this patch.  A reboot is required.

Microsoft fixes SSL 'kill switch' blooper
Microsoft re-released an update today for Windows XP to correct a snafu that left users vulnerable to potential "man-in-the-middle" attacks for most of last week.

Monday's update addressed a gaffe introduced last week when Microsoft blocked six additional root certificates issued by DigiNotar that were cross-signed by a pair of other certificate authorities (CAs).
ISC Diary | MS Security Advisory Update - Fraudulent DigiNotar Certificates
Microsoft re-released Microsoft Security Advisory (2607712) regarding fraudulent DigiNotar Root CA. "Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store."[1]

The update is available for all supported version of Windows here and via automatic updates.

[1] http://technet.microsoft.com/en-us/security/advisory/2607712
[2] http://support.microsoft.com/kb/2616676
[3] http://blogs.technet.com/b/msrc/archive/2011/09/19/cumulative-non-security-update-protects-from-fraudulent-certificates.aspx

Microsoft Security Advisory: Fraudulent digital certificates could allow spoofing
We have finished the investigation into an issue with update 2616676 for all Windows XP-based and Windows Server 2003-based systems.

Before September 19, 2011, the versions of update 2616676 for Windows XP and for Windows Server 2003 contained only the latest six digital certificates cross-signed by GTE and Entrust. These versions of the update did not contain the digital certificates that were included in update 2607712 or 2524375. Update 2616676 also incorrectly proceeded update 2607712. Therefore, before September 19, 2011 if you installed updated 2616676 and had not already installed update 2607712 or update 2524375, your system would not have been protected from the use of fraudulent digital certificates as described in security advisory 2607712.

On September 19, 2011, we rereleased update 2616676 to address this issue. If you are running Windows XP or Windows Server 2003 and you have not applied updates 2524375, 2607712, and 2616676, you should install cumulative update 2616676.

No comments: