Windows Enterprise Desktop

Nov 16 2011   3:31PM GMT

A quiet, out-of-band MS Security Update: More Fraudulent Certificates

Ed Tittel Ed Tittel Profile: Ed Tittel

Remember the recent hoopla this summer about fraudulent master-level (intermediate authority) digital certificates showing up in the wild? Well, Microsoft quietly released another out-of-band security update last Friday (11/11/2011) under the heading of KB2641690, with an accompanying Security Advisory. Apparently, Microsoft has also revoked its trust in the Digicert Malaysia Certificate Authority (doing business as DigiCert Sdn. Bhd.) for violation of the Microsoft Root Program requirements (see this Softpedia report for more information: “Microsoft Revokes Trust in Digitcert Malaysia Certificate Authority“).

MS Security Advisory for Digital Certificates

MS Security Advisory for Digital Certificates

The Softpedia story nicely explains why Microsoft took this action, and issued an emergency security update to match:

“Microsoft was notified by Entrust, Inc, a certificate authority in the Microsoft Root program, that a Malaysian subordinate CA, DigiCert Sdn. Bhd issued 22 certificates with weak 512 bit keys,” revealed Jerry Bryant, Group manager, Response Communications, Trustworthy Computing.

“Additionally, this subordinate CA has issued certificates without the appropriate usage extensions or revocation information.”

Microsoft stressed that unlike the DigiNotar scenario from a few months back, this time around attackers did not get the chance to exploit the weak and deficient secure sockets layer certificates issued by Digicert Malaysia. 

This is best understood as a pre-emptive measure designed to forestall possible security compromises or potential attack vectors BEFORE they occur. Nevertheless, it also dictates that this security update be fast-tracked into production for the selfsame reasons. Another one for your hurry-up schedule!

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: