Microsoft has re-released an update for Windows XP SP3 and Windows Server 2003 designed to revoke the trust of all DigiNotar root certificates.
It appears that there were a range of issues with the original KB 2616676, which placed only certain DigiNotar certificates in the Microsoft Untrusted Certificate Store, while still leaving users exposed to potential attacks leveraging others.
This is why the Redmond company is now providing a brand new KB 2616676 update, designed to resolve the problems with the initial release. The software company stresses that the refresh only impacts XP and Windows Server 2003.
“Microsoft re-released KB2616676
non-security update for customers using Microsoft Windows XP and Windows Server 2003,” reveals Dave Forstrom
, director, Trustworthy Computing.
“Customers who have enabled automatic updates are already protected and no further action is required, and others are recommended to download the cumulative version of the KB2616676 to protect themselves from the fraudulent certificates listed in Security Advisory 2607712.”
It appears that the original release of KB 2616676 failed to revoke trust for fraudulent digital certificates included into a couple of other updates 2607712 and 2524375.
“Before September 19, 2011, the versions of update 2616676 for Windows XP and for Windows Server 2003 contained only the latest six digital certificates cross-signed by GTE and Entrust. These versions of the update did not contain the digital certificates that were included in update 2607712 or 2524375,” Microsoft explained.
“Update 2616676 also incorrectly proceeded update 2607712. Therefore, before September 19, 2011 if you installed updated 2616676 and had not already installed update 2607712 or update 2524375, your system would not have been protected from the use of fraudulent digital certificates as described in security advisory 2607712.”
The version of KB2616676 for Windows XP and Windows Server 2003 that users need to make sure they deploy is the one released on September 19, 2011. This refresh is cumulative and covers all the certificates revoked in updates 2524375, 2607712, and the initial 2616676.