Microsoft reacted extremely rapidly to protect users of Internet Explorer against attacks leveraging fraudulent DigiNotar root certificates, and is now providing an update for all supported versions of Windows designed to revoke the trust of all DigiNotar root certificates.
Customers running Windows are advised to deploy KB 2607712 as fast as possible, and ensure that DigiNotar certificates are moved to the Microsoft Untrusted Certificate Store.
KB 2607712 is available for Windows 7 Service Pack 1 (SP1), Windows Vista SP2, Windows XP SP3, but also their server equivalents, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 – links at the bottom of this article.
“Based on our investigation, we’ve deemed all DigiNotar certificates to be untrustworthy and have moved them to the Untrusted Certificate Store. Additionally, we have extended our support with this update so all customers using Windows XP, Windows Server 2003, and all Windows supported third-party applications are protected,” revealed Dave Forstrom, director, Trustworthy Computing.
Initially, the software giant had been able to protect only IE users running Windows 7 or Windows Vista, but protection has now been extended to all customers running supported releases of Windows client and Server platforms.
Here is a list with the DigiNotar root certificates which have been revoked: DigiNotar Root CA, DigiNotar Root CA G2, DigiNotar PKIoverheid CA Overheid, DigiNotar PKIoverheid CA Organisatie – G2 and DigiNotar PKIoverheid CA Overheid en Bedrijven.
Fraudulent DigiNotar certificates have already been abused by attackers in the wild. Windows users should deploy the update provided by Microsoft to ensure that they’re safe against spoofed content, phishing attacks, and man-in-the-middle attacks.
“Microsoft recognizes that this issue is an industry problem, and has been actively collaborating with certificate authorities, governments, and software vendors to help protect its mutual customers. Microsoft continues to investigate this issue,” Forstrom added.