Executive Summary
Summary | |
---|---|
Title | Unauthorized Digital Certificates Could Allow Spoofing |
Informations | |||
---|---|---|---|
Name | KB2728973 | First vendor Publication | 2012-07-10 |
Vendor | Microsoft | Last vendor Modification | 2012-09-05 |
Severity (Vendor) | N/A | Revision | 1.2 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | Not Defined | Attack Range | Not Defined |
Cvss Impact Score | Not Defined | Attack Complexity | Not Defined |
Cvss Expoit Score | Not Defined | Authentication | Not Defined |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft is aware of Microsoft certificate authorities that are outside our recommended secure storage practices. Upon a routine review, we are placing these certificates in the Untrusted Certificate Store, and replacing them with new certificate authorities that meet our high standard of public-key infrastructure (PKI) management. We are unaware of any misuse of the certificate authorities, but are taking pre-emptive action to protect customers. This issue affects all supported releases of Microsoft Windows. Microsoft is providing an update for all supported releases of Microsoft Windows. The update places the following intermediate CA certificates in the Untrusted Certificate Store: Recommendation. For supported releases of Microsoft Windows, Microsoft recommends that customers apply the update immediately. For more information, see the Suggested Actions section of this advisory. Known Issues. Microsoft Knowledge Base Article 2728973 documents the currently known issues that customers may experience when installing this update. For more information about this issue, see the following references: This advisory discusses the following affected software and devices. What is the scope of the advisory? Microsoft has issued an update for all supported releases of Microsoft Windows that addresses the issue. Does this update address any other unauthorized digital certificates? Note that although this update addresses certificates described in previous advisories, this update does not contain all the functionality introduced in previous advisories. For more information, see known issues in Microsoft Knowledge Base Article 2728973. Is Windows 8 Release Preview or Windows Server 2012 Release Candidate affected by the issue addressed in this advisory? What is cryptography? In all forms of cryptography, a value known as a key is used in conjunction with a procedure called a crypto algorithm to transform plaintext data into ciphertext. In the most familiar type of cryptography, secret-key cryptography, the ciphertext is transformed back into plaintext using the same key. However, in a second type of cryptography, public-key cryptography, a different key is used to transform the ciphertext back into plaintext. What is a digital certificate? What are certificates used for? What is a certification authority (CA)? What is a Certificate Trust List (CTL)? What caused the issue? What might an attacker use the issue to do? What is a man-in-the-middle attack? What is Microsoft doing to help with resolving this issue? After applying the update, how can I verify the certificates in the Microsoft Untrusted Certificates Store? For systems not using the automatic updater of revoked certificates, in the Certificates MMC snap-in, verify that the following certificates have been added to the Untrusted Certificates folder: Note For information on how to view certificates with the MMC Snap-in, see the MSDN article, How to: View Certificates with the MMC Snap-in. For supported editions of Windows XP and Windows Server 2003 The majority of customers have automatic updating enabled and will not need to take any action because the KB2728973 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871. For administrators and enterprise installations, or end users who want to install the KB2728973 update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2728973. For supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Release Preview, and Windows Server 2012 Release Preview The majority of customers have automatic updating enabled and will not need to take any action because an automatic updater of revoked certificates will address the issue by automatically adding the certificates to the Untrusted Certificate Store. The automatic updater of revoked certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 through the Microsoft Update service and is described in Microsoft Knowledge Base Article 2677070. The automatic updater of untrusted certificates is included in Windows 8 Release Preview and Windows Server 2012 Release Candidate. For end users who do not have the automatic updater of revoked certificates (2677070) or for systems that are not connected to the Internet, Microsoft recommends that customers manually apply the KB2728973 update immediately. For more information on how to manually apply the update manually, see Microsoft Knowledge Base Article 2728973. For administrators and enterprise installations, Microsoft recommends that customers apply the update immediately using update management software. For more information about the update, see Microsoft Knowledge Base Article 2728973. We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer. For more information about staying safe on the Internet, visit Microsoft Security Central. Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed. |
Original Source
Url : http://www.microsoft.com/technet/security/advisory/2728973.mspx |
Alert History
Date | Informations |
---|---|
2014-02-17 11:38:40 |
|
2013-02-06 19:08:06 |
|