Aug 30, 2011 13:11 GMT  ·  By

Microsoft has removed a rogue SSL root certificate issued by DigiNotar from the list of trusted Windows root certificates in an effort designed to protect users of Internet Explorer from attacks impersonating Google online properties, including Gmail.

Dave Forstrom, director of Trustworthy Computing for Microsoft, informed that the software giant is only aware of a single fraudulent DigiNotar digital certificate so far, which is no longer featured on the Microsoft Certificate Trust List.

“DigiNotar has since revoked the digital certificate. This is not a Microsoft security vulnerability; however, the certificate potentially affects Internet users attempting to access websites belonging to Google,” Forstrom revealed.

While attacks leveraging the rogue SSL root certificate are not exploiting actual vulnerabilities, they still represent a security issue, since cybercriminals can abuse them in order to masquerade malicious websites as legitimate Google sites.

“A fraudulent certificate may be used to spoof Web content, perform phishing attacks or perform man-in-the-middle attacks against end users,” Forstrom explained.

All browsers are impacted by this problem to the same degree as IE. However, after the Redmond company excluded the fraudulent digital certificate issued by DigiNotar from the Microsoft Certificate Trust List, the browser will warn users that sites leveraging it are not safe.

“All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certification authority,” Microsoft explained.

“Users of these operating systems will be presented with an invalid certificate error when they browse to a Web site or try to install programs signed by the DigiNotar root certificate. In those cases users should follow the instructions in the message. Microsoft will release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003.”