Microsoft Revokes Trust In 28 of Its Own Certificates

← Back to Stories (view on slashdot.org)

Microsoft Revokes Trust In 28 of Its Own Certificates

Posted by Soulskill on Tuesday July 10, 2012 @09:55AM from the it's-just-been-revoked dept.

Trailrunner7 writes "In the wake of the Flame malware attack, which involved the use of a fraudulent Microsoft digital certificate, the software giant has reviewed its certificates, found nearly 30 that aren't as secure as the company would like, and revoked them. Microsoft also released its new updater for certificates as a critical update for Windows Vista and later versions as part of today's July Patch Tuesday. Microsoft has not said exactly what the now-untrusted certificates were used for, but company officials said there were a total of 28 certificates affected by the move. However, the company said it was confident none of them had been compromised or used maliciously. The move to revoke trust in these certificates is a direct result of the investigation into the Flame malware and how the attackers were able to forge a Microsoft certificate and then use it to impersonate a Windows Update server."

23 of 78 comments (clear)

Min score:

Reason:

Sort:

Serves them right! by Antipater · 2012-07-10 09:57 · Score: 4, Funny

That's what you get when you leave valuable certificates near open flames.

--
Everything is better with chainsaws.
1. Re:Serves them right! by lipanitech · 2012-07-10 10:06 · Score: 2
  
  Verisign last year and now Microsoft plus SSL encryption being picked apart nothing is really safe on the web anymore.
  
  --
  http://thetechnologygeek.org/
2. Re:Serves them right! by X0563511 · 2012-07-10 10:08 · Score: 3, Informative
  
  plus SSL encryption being picked apart
  Only if system administrators fail at configuration.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
3. Re:Serves them right! by Anonymous Coward · 2012-07-10 10:50 · Score: 4, Insightful
  
  OT, but related (somewhat):
  > Verisign last year and now Microsoft plus SSL encryption being picked apart nothing is really safe on the web anymore.
  Yes, nothing works because M$ doesn't work, then computers as a rule don't work, too. Do people still have some minimal grasp of logic? Or is this a feeble attempt at creating FUD?
  BTW, am I supposed to buy a computer with a "secure boot" with keys from Verisign and M$?
  Let me say that bluntly: enemies of the USA will manage to get keys (at what price, I can only wonder) the next day, while Linux users will have to purchase M$ (copyrighted?) keys to put Linux on their own PCs (maybe).
  Again, secure boot is safe for who, really?
4. Re:Serves them right! by symbolset · 2012-07-10 13:27 · Score: 3, Insightful
  
  The purpose for secure boot is to protect the hardware from non-Windows operating systems. It's irony.
  
  --
  Help stamp out iliturcy.
5. Re:Serves them right! by mug+funky · 2012-07-10 15:59 · Score: 3, Interesting
  
  the "enemies of the USA" did not create flame, nor compromise these certificates.
  you're looking for "USA and it's special friend" there. this is public knowledge now.
6. Re:Serves them right! by sFurbo · 2012-07-10 19:23 · Score: 2
  
  Linux users will have to purchase M$ (copyrighted?) keys to put Linux on their own PCs.
  They shouldn't be copyrightable, as they are not the result of creative work, but are random. Just like the HD-DVD code should not have been copyrightable. Whether "should" will have any effect on "are" is another problem.
good! by X0563511 · 2012-07-10 10:05 · Score: 3, Insightful

I'm hardly a Microsoft fan, but good! They seem to be taking a proactive approach here.

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
1. Re:good! by drinkypoo · 2012-07-10 11:09 · Score: 4, Insightful
  
  You mean that operating system that is on ultra-mega-extended-barely-alive support isn't getting patches? Shocker.
  You mean that operating system that Microsoft stopped shipping on June 30, 2010, just ten days over a year ago, even though they had already cut off support? The one that you will still be permitted to "downgrade" to until 2015, three more years from now? That one? The truth is that as long as it is being shipped (and it still is, due to downgrade licenses) it is a current product, by definition.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:good! by Anonymous Coward · 2012-07-10 11:36 · Score: 3, Insightful
  
  For many years now, you had to make a conscious effort to actually get XP. And I don't mean some kind of checkbox after an EULA that nobody reads, but you actually had to know about the downgrade rights & exercise them. If you do that, you presumably know what exactly you're doing, and all information about XP support lifetime was publicly available since its release, and widely publicized since the first announcement of nearing termination. I have absolutely zero empathy for someone who'd buy XP today and then complain that they don't have support for it.
3. Re:good! by Anonymous Coward · 2012-07-10 12:20 · Score: 2, Insightful
  
  If you know the right person to call, Microsoft will ship you a copy of OS/2 v1.3. There are many people that will still want to purchase XP for years after all official support has ended.
4. Re:good! by benjymouse · 2012-07-10 20:58 · Score: 2
  
  Yes, they're taking a proactive approach to push upgrades from XP.
  Yeah, if only they would provide a download link for Windows XP and Server 2003 in a knowledge base article so that we could find it if we bothered to look for it!
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
WIndows update by thoughtsatthemoment · 2012-07-10 10:11 · Score: 2

If they were able to fake a Windows update server, it'd have to to be as effective as an inside job.
Too little, too late... by darkpixel2k · 2012-07-10 10:36 · Score: 5, Funny

Microsoft Revokes Trust In 28 of Its Own Certificates
Old news. I revoked my trust in Microsoft over a decade ago...

--
There's no place like ::1 (I've completed my transition to IPv6)
1. Re:Too little, too late... by wonkey_monkey · 2012-07-10 10:45 · Score: 4, Funny
  
  +1 Smug.
  
  --
  systemd is Roko's Basilisk.
Not used maliciously by bhlowe · 2012-07-10 10:42 · Score: 4, Interesting

The centrifuge operators in Iran may beg to differ..
Re:So when are they going to tackle the real probl by cryptizard · 2012-07-10 10:57 · Score: 3, Informative

Thats the whole point of this, they replaced old certificates with new ones that don't use MD5.
What would happen ... by k(wi)r(kipedia) · 2012-07-10 11:36 · Score: 4, Interesting

if, a few years into the future, somebody dusts off an old copy of Windows Vista/7 and runs an update. Will that version of Vista/7 still update? Will it still work?
I'm asking because of this whole business with certificate revocation. Obviously, to revoke a certificate "successfully" without inconveniencing users, you have to update users' systems to the new certificate using the old one. This has obvious consequences for the maintainance of Secure Boot-enabled systems.
1. Re:What would happen ... by drinkypoo · 2012-07-10 11:52 · Score: 2
  
  if, a few years into the future, somebody dusts off an old copy of Windows Vista/7 and runs an update. Will that version of Vista/7 still update? Will it still work?
  Depends, will there still be an active activation server?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:What would happen ... by k(wi)r(kipedia) · 2012-07-10 12:05 · Score: 2
  
  Forgot about that one.
  Secure Boot appears to be an attempt to impose a Microsoft solution to a security problem. Secure Boot would be perfect for Windows systems because such systems would be EOL'd anyway if Microsoft goes belly up.
  But for FLOSS users it would only complicate the maintainance and upgrade paths, even if they decide to use Ubundora's "solutions". There's a chance that a working system would stop working because the boot certificate was revoked.
Update available from fake Windows Update server? by Bent+Mind · 2012-07-10 13:54 · Score: 2

Microsoft also released its new updater for certificates as a critical update for Windows Vista and later versions as part of today's July Patch Tuesday. ... and how the attackers were able to forge a Microsoft certificate and then use it to impersonate a Windows Update server."
So, to protect users from potentially trusting a fake Windows Update server, Microsoft is releasing this update through a Windows Update server, which potentially could be fake? I suppose that if your computer already trusts a fake server, it is too late. However, I wish Microsoft would go back to providing downloadable updates that didn't depend on Windows Update.

--
Request a Linux Shockwave player here: http://www.macromedia.com/support/email/wishform/
Re:good?? by nzac · 2012-07-10 13:55 · Score: 2

I would hardly call it proactive, they have just discarded all the certs that would have been considered insecure a couple of years ago. A company that promotes "trusted computing" should have done this when they were found to be insecure.
The proactive approach would be to upgrade all certs to 2048 bits so they will be as good as current best standardized strength*. This is just removing those that they would consider insecure MD5 and less than 1024 bits. This is bear minimum to try and mitigate the damage.
*they could beet most Linux distros to do this completely.
Where's the Gates Borg Icon? by chebucto · 2012-07-10 16:14 · Score: 2

I've been away from /. for awhile, so seeing the MS corporate logo in place of the familiar Gates-Borg icon came as a bit of a shock.
When did our dear leaders get rid it? What possible reason, aside from a desire to be more bland, could they have?

--
The English word fart is one of the oldest words in the English vocabulary.