Executive Summary
Summary | |
---|---|
Title | Fraudulent Digital Certificates Could Allow Spoofing |
Informations | |||
---|---|---|---|
Name | KB2607712 | First vendor Publication | 2011-08-29 |
Vendor | Microsoft | Last vendor Modification | 2011-09-19 |
Severity (Vendor) | N/A | Revision | 5.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | Not Defined | Attack Range | Not Defined |
Cvss Impact Score | Not Defined | Attack Complexity | Not Defined |
Cvss Expoit Score | Not Defined | Authentication | Not Defined |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store. A fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows. Microsoft is continuing to investigate this issue. Based on preliminary investigation, Microsoft is providing a new update (KB2616676) on September 13, 2011 for all supported releases of Microsoft Windows that revokes the trust of the following DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store: Recommendation. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. Please see the Suggested Actions section of this advisory for more information. Known Issues. Microsoft Knowledge Base Article 2616676 documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues. For more information about this issue, see the following references: This advisory discusses the following software and devices. *Server Core installation affected. This advisory applies to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options. Why was this advisory revised September 19, 2011? Customers of supported editions of Windows XP and Windows Server 2003 should apply the rereleased version of the KB2616676 update to be protected against the use of the fraudulent certificates as specified in this advisory. Customers of supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 are not affected by this rerelease. Note The update will not be offered to customers of supported editions of Windows XP and Windows Server 2003 in the case where the original KB2616676, KB2607712, and KB2524375 updates have all been previously applied as the rerelease package is cumulative and contains all changes from these three update packages. The majority of customers have automatic updating enabled and will not need to take any action because the rereleased KB2616676 update will be downloaded and installed automatically. Is Windows Developer Preview affected by this issue? Why was this advisory revised September 13, 2011? Although the KB2616676 update replaces the KB2607712 update, the KB2607712 update is not a prerequisite for the KB2616676 update. Regardless of whether or not the KB2607712 update has been applied, customers should apply the KB2616676 update to address the issue described in this advisory. Customers who apply the KB2616676 update do not need to apply the KB2607712 update. Why was this advisory revised September 6, 2011? On August 29, 2011, Microsoft removed the trust from one DigiNotar root certificate by updating the Microsoft CTL. Why is Microsoft releasing an update? After the CTL update on August 29, 2011, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 users who accessed a Web site that was signed by an untrusted DigiNotar root certificate would be presented with a warning message indicating that the trust of the certificate could not be verified. Users were allowed to click through this warning message to access the site. In order to protect customers more comprehensively against possible man-in-the-middle attacks, Microsoft is releasing an update that takes additional measures to protect customers by completely preventing Internet Explorer users from accessing resources of Web sites that contained certificates signed by the untrusted DigiNotar root certificates. Internet Explorer users who apply this update will be presented with an error message when trying to access a Web site that has been signed by either of the above DigiNotar root certificates. These users will not be able to continue to access the Web site. What does the KB2616676 update do? How will this update change the user experience when trying to access a Web site that has been encrypted with TLS and signed by an untrusted DigiNotar root certificate? After applying the update, how can I verify the certificates in the Microsoft Untrusted Certificates Store? In the Certificates MMC snap-in, verify that the following certificates have been added to the Untrusted Certificates folder: *Certificate added to the Untrusted Certificates folder by these updates. The KB2616676 update also includes the certificates in the KB2524375 update added to the Untrusted Certificates folder. What is the scope of the advisory? What is cryptography? In all forms of cryptography, a value known as a key is used in conjunction with a procedure called a crypto algorithm to transform plaintext data into ciphertext. In the most familiar type of cryptography, secret-key cryptography, the ciphertext is transformed back into plaintext using the same key. However, in a second type of cryptography, public-key cryptography, a different key is used to transform the ciphertext back into plaintext. What is a digital certificate? What are certificates used for? What is a certification authority (CA)? What is a Certificate Trust List (CTL)? What caused the issue? What might an attacker use the vulnerability to do? What is a man-in-the-middle attack? What is the procedure for revoking a certificate? An alternative way for Web browsers to validate the identity of a digital certificate is by using the Online Certificate Status Protocol (OCSP). OCSP allows interactive validation of a certificate by connecting to an OCSP responder, hosted by the Certificate Authority (CA) which signed the digital certificate. Every certificate should provide a pointer to the OCSP responder location through the Authority Information Access (AIA) extension in the certificate. In addition, OCSP stapling allows the Web server itself to provide an OCSP validation response to the client. OCSP validation is enabled by default on Internet Explorer 7 and later versions of Internet Explorer on supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. On these operating systems, if the OCSP validation check fails, the browser will validate the certificate by contacting the CRL Location. For more information on certificate revocation checking, see the TechNet article, Certificate Revocation and Status Checking. What is a Certificate Revocation List (CRL)? What is CRL Distribution Point (CDP)? What is Online Certificate Status Protocol (OCSP)? What is Microsoft doing to help with resolving this issue? How do I know if Ive encountered an invalid certificate error? Users are only presented this message when the certificate is determined to be invalid, for instance when the user has Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) validation enabled. OCSP validation is enabled by default on Internet Explorer 7 and later versions of Internet Explorer on supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. For supported releases of Microsoft Windows The majority of customers have automatic updating enabled and will not need to take any action because the KB2616676 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871. For administrators and enterprise installations, or end users who want to install the KB2616676 update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2616676. Although the KB2616676 update replaces the KB2607712 update, the KB2607712 update is not a prerequisite for the KB2616676 update. Regardless of whether or not the KB2607712 update has been applied, customers should apply the KB2616676 update to address the issue described in this advisory. Customers who apply the KB2616676 update do not need to apply the KB2607712 update. We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer. For more information about staying safe on the Internet, visit Microsoft Security Central. Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed. |
Original Source
Url : http://www.microsoft.com/technet/security/advisory/2607712.mspx |
Alert History
Date | Informations |
---|---|
2013-02-06 19:08:06 |
|