14 DAY TRIAL // Spoofed certificates for .microsoft.com and .windowsupdate.com are among those issued by Dutch-based DigiNotar, which has been at the center of a scandal involved fraudulent certificates used to attack users of Google.com sites. Microsoft has confirmed officially that certificates for its own online properties from DigiNotar have also been compromised, and already took measures in order to ensure that customers running Internet Explorer on Windows Vista and Windows 7 are protected.
Dave Forstrom, director, Trustworthy Computing reveals that while the investigation into the matter continues, a couple of DigiNotar root certificates have been removed.
“As always, we continue to take action to ensure the safety of our customers. We have already removed the two DigiNotar root certificates, which encompass what we believe to be the vast majority of the fraudulently issued digital certificates, from the Certificate Trust List. All fraudulent certificates that have been disclosed to Microsoft roll up to one of those two root certificates,” Forstrom said.
Vista and Windows 7 users which also run IE have been protected against attacks since the end of August.
“Users of Vista and later operating systems have been protected since we released Security Advisory 2607712 on August 29,” Forstrom added.
“In addition, customers using Windows Update on any platform are not at risk of exploitation from the windowsupdate.com certificate, since that domain is no longer in use. The Windows Update service uses multiple means of checking that the content distributed is legitimate and uncompromised.”
Cybercriminals can potentially leverage the fraudulent certificates in order to spoof legitimate websites, and pass them for genuine online properties.
Since the fraudulent root certificates have been removed, IE will flag fake sites using them, and inform users that they’re about to be victims of an attack.
“We are also working to update Security Advisory 2607712 for customers on XP and Server 2003 and will continue to investigate any additional issues arising from the spoofed *.microsoft.com certificate. We will provide updated information to customers as it becomes available,” Forstrom promised.