Posted by: Ed Tittel
another hurry-up Windows Update released 11/11/11, KB2641690 issued for weak or fraudulent security certificates
Remember the recent hoopla this summer about fraudulent master-level (intermediate authority) digital certificates showing up in the wild? Well, Microsoft quietly released another out-of-band security update last Friday (11/11/2011) under the heading of KB2641690, with an accompanying Security Advisory. Apparently, Microsoft has also revoked its trust in the Digicert Malaysia Certificate Authority (doing business as DigiCert Sdn. Bhd.) for violation of the Microsoft Root Program requirements (see this Softpedia report for more information: “Microsoft Revokes Trust in Digitcert Malaysia Certificate Authority“).
The Softpedia story nicely explains why Microsoft took this action, and issued an emergency security update to match:
“Microsoft was notified by Entrust, Inc, a certificate authority in the Microsoft Root program, that a Malaysian subordinate CA, DigiCert Sdn. Bhd issued 22 certificates with weak 512 bit keys,” revealed Jerry Bryant, Group manager, Response Communications, Trustworthy Computing.
“Additionally, this subordinate CA has issued certificates without the appropriate usage extensions or revocation information.”
Microsoft stressed that unlike the DigiNotar scenario from a few months back, this time around attackers did not get the chance to exploit the weak and deficient secure sockets layer certificates issued by Digicert Malaysia.
This is best understood as a pre-emptive measure designed to forestall possible security compromises or potential attack vectors BEFORE they occur. Nevertheless, it also dictates that this security update be fast-tracked into production for the selfsame reasons. Another one for your hurry-up schedule!