Executive Summary
Summary | |
---|---|
Title | Update for Deprecation of MD5 Hashing Algorithm for Microsoft Root Certificate Program |
Informations | |||
---|---|---|---|
Name | KB2862973 | First vendor Publication | 2013-08-13 |
Vendor | Microsoft | Last vendor Modification | 2014-02-11 |
Severity (Vendor) | N/A | Revision | 2.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | Not Defined | Attack Range | Not Defined |
Cvss Impact Score | Not Defined | Attack Complexity | Not Defined |
Cvss Expoit Score | Not Defined | Authentication | Not Defined |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft is announcing the availability of an update for supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT that restricts the use of certificates with MD5 hashes. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. Usage of MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The update is available on the Download Center as well as the Microsoft Update Catalog for all affected releases of Microsoft Windows except for Windows RT. In addition, as of February 11, 2014, this update is offered via automatic updating and through the Microsoft Update service for all affected software. Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity. Please see the Suggested Actions section of this advisory for more information. Note that the 2862966 update is a prerequisite and must be applied before this update can be installed. The 2862966 update contains associated framework changes to Microsoft Windows. For more information, see Microsoft Knowledge Base Article 2862966. Known Issues. Microsoft Knowledge Base Article 2862973 documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues. For more information about this issue, see the following references: This advisory discusses the following software. Why was this advisory revised on February 11, 2014? Why was this advisory revised on October 8, 2013? Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1? Does this update apply to Windows 8.1 Preview, Windows RT 8.1 Preview, or Windows Server 2012 R2 Preview? What is the scope of the advisory? When will Microsoft release this update to Microsoft Update? How might an attacker use digital certificates fraudulently? What is a digital certificate? What is a man-in-the-middle attack? What does the 2862973 update do? For a complete list of scenarios on how this update will block the usage of certificates with MD5 hashes, see Microsoft Knowledge Base Article 2862973. Additionally, the prerequisite framework update (2862966) provides the functionality to log when certificates are blocked by this update (2862973). For more information regarding enabling this logging feature, see Microsoft Knowledge Base Article 2862966. Note that the 2862973 update does not affect binaries signed by certificates using a MD5 hash algorithm. How do I prepare for this release? Apply the update for affected releases of Microsoft Windows Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.. For administrators of enterprise installations, or end users who want to install the 2862973 update manually, Microsoft recommends that customers download the update and assess the impact of block the usage of certificates with MD5 hashes. See Microsoft Knowledge Base Article 2862973 for download links to the update packages. Note that the 2862966 update is a prerequisite and must be installed before this update can be installed. The 2862966 update contains associated framework changes to Microsoft Windows. For more information, see Microsoft Knowledge Base Article 2862966. For a complete list of scenarios on how this update will block the usage of certificates with MD5 hashes, see Microsoft Knowledge Base Article 2862973. |
Original Source
Url : http://www.microsoft.com/technet/security/advisory/2862973.mspx |
Alert History
Date | Informations |
---|---|
2016-01-13 13:25:11 |
|
2014-02-17 11:38:43 |
|
2014-02-11 21:20:00 |
|
2013-10-09 05:19:25 |
|
2013-09-18 17:10:45 |
|