Microsoft issues security advisory for another compromised CA (Malaysian this time)

Microsoft is aware that DigiCert Sdn. Bhd, a Malaysian subordinate certification authority (CA) under Entrust and GTE CyberTrust, has issued 22 certificates with weak 512 bit keys. These weak encryption keys, when broken, could allow an attacker to use the certificates fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.

DigiCert Sdn. Bhd is not affiliated with the corporation DigiCert, Inc., which is a member of the Microsoft Root Certificate Program.

There is no indication that any certificates were issued fraudulently. Instead, cryptographically weak keys have allowed some of the certificates to be duplicated and used in a fraudulent manner.

Microsoft is providing an update for all supported releases of Microsoft Windows that revokes the trust in DigiCert Sdn. Bhd. The update revokes the trust of the following two intermediate CA certificates:

  • Digisign Server ID – (Enrich), issued by Entrust.net Certification Authority (2048)
  • Digisign Server ID (Enrich), issued by GTE CyberTrust Global Root

Recommendation. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. Please see the Suggested Actions section of this advisory for more information.

Known Issues. Microsoft Knowledge Base Article 2641690 documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues.

 

(Source: Microsoft)

Improve our visibility and share this article with your friends !
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • RSS
  • Slashdot
  • Twitter
About Danny Bisaerts

Danny Bisaerts has grown over the past decades from a development background into the world of Information Security and Physical Security. He has spent a lot of time in the world of finance, government, consulting, manufacturing, telecommunications and utilities ...

Danny is currently the editor of www.itsecurity.be. Email : editor@itsecurity.be
LinkedIn : Public Profile