Microsoft: Stolen SSL certs can't be used to install malware via Windows Update
Updates also code-signed by separate certificate that Microsoft controls
Computerworld - Microsoft said Sunday that a digital certificate stolen from a Dutch company could not be used to force-feed customers malware through its Windows Update service.
The company's assertion came after a massive theft of more than 500 SSL (secure socket layer) certificates, including several that could be used to impersonate Microsoft's update services, was revealed by Dutch authorities and several other affected developers.
"Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers," said Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), in a Sunday blog post. "The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued and secured by Microsoft."
Seven of the 531 certificates now known to have been fraudulently obtained by hackers in July were for the domains update.microsoft.com and windowsupdate.com, while another six were for *.microsoft.com.
According to Microsoft, the certificates issued for windowsupdate.com couldn't be used by attackers because the company no longer uses that domain. (Windows Update is now at windowsupdate.microsoft.com..) However, those for update.microsoft.com -- the domain for Microsoft Update -- and the wildcard *.microsoft.com could be.
As Ness said, updates delivered via Microsoft's services are signed with a separate certificate that's closely held by the company.
Without that code-signing certificate, attempts to deliver malware disguised as an update to a Windows PC would fail.
Other vendors, including Apple, also sign software updates with a separate certificate.
The certificates for the various Microsoft domains were issued by DigiNotar, a Dutch company that last week admitted its network had been hacked in mid-July.
The company initially believed it had revoked all the fraudulent certificates, but later realized it had overlooked one that could be used to impersonate any Google service, including Gmail. DigiNotar went public only after users reported their findings to Google.
Criminals or governments could use the stolen certificates to conduct "man-in-the-middle" attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly intercepted.
Microsoft has added its voice to the chorus from rival browser makers, notably Google and Mozilla, about the seriousness of the situation. Like its competitors, Microsoft will also permanently block all DigiNotar certificates.
"We are in the process of moving all DigiNotar owned or managed [certificate authorities] to the Untrusted Root Store, which will deny access to any website using DigiNotar certificates," said Dave Forstrom, a director in the Microsoft Trustworthy Computing group, in an emailed statement Sunday.
Forstrom did not set a date by when Microsoft would block all DigiNotar certificates, including those used by the Dutch government, which has been a major customer of the company.
Google updated Chrome on Saturday to block all DigiNotar certificates, while Mozilla plans to do the same on Tuesday for Firefox.
However, Microsoft's partial ban of DigiNotar certificates -- which it instituted last week -- and the complete sanction now in the works only protects users running Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2.
Customers still on Windows XP or Windows Server 2003 must wait for an update specific to those operating systems; Ness said only that that update would "be available soon."
Until that Windows XP update is available, users can protect themselves by manually deleting the DigiNotar root from the list of approved certificate-issuing authorities. Microsoft has posted lengthy instructions for doing that on its "Security Research & Defense" blog.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Everything You Know About Enterprise Security Is Wrong
- UK man charged with hacking Federal Reserve
- McAfee Offers Global Response to Nationalized Malware
- Tech Industry Praises Cybersecurity Framework From White House
- Ransomware like Cryptolocker uses Bitcoin, other virtual currencies for payment
- Trial for alleged Silk Road creator Ross Ulbricht set for November
- Target attack shows danger of remotely accessible HVAC systems
- U.S. is investigating Target data breach, AG Holder says
- Russian man pleads guilty in SpyEye malware case
- Suspected email hackers for hire charged in four countries
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts