Microsoft is aware that DigiCert Sdn. Bhd, a Malaysian subordinate certification authority (CA) under Entrust and GTE CyberTrust, has issued 22 certificates with weak 512 bit keys. These weak encryption keys, when broken, could allow an attacker to use the certificates fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.
DigiCert Sdn. Bhd is not affiliated with the corporation DigiCert, Inc., which is a member of the Microsoft Root Certificate Program.
There is no indication that any certificates were issued fraudulently. Instead, cryptographically weak keys have allowed some of the certificates to be duplicated and used in a fraudulent manner.
Microsoft is providing an update for all supported releases of Microsoft Windows that revokes the trust in DigiCert Sdn. Bhd. The update revokes the trust of the following two intermediate CA certificates:
- Digisign Server ID – (Enrich), issued by Entrust.net Certification Authority (2048)
- Digisign Server ID (Enrich), issued by GTE CyberTrust Global Root
Recommendation. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. Please see the Suggested Actions section of this advisory for more information.
Known Issues. Microsoft Knowledge Base Article 2641690 documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues.