Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Revokes Trust In 28 of Its Own Certificates

Posted by Soulskill on from the it's-just-been-revoked dept.

Trailrunner7 writes "In the wake of the Flame malware attack, which involved the use of a fraudulent Microsoft digital certificate, the software giant has reviewed its certificates, found nearly 30 that aren't as secure as the company would like, and revoked them. Microsoft also released its new updater for certificates as a critical update for Windows Vista and later versions as part of today's July Patch Tuesday. Microsoft has not said exactly what the now-untrusted certificates were used for, but company officials said there were a total of 28 certificates affected by the move. However, the company said it was confident none of them had been compromised or used maliciously. The move to revoke trust in these certificates is a direct result of the investigation into the Flame malware and how the attackers were able to forge a Microsoft certificate and then use it to impersonate a Windows Update server."

7 of 78 comments (clear)

  1. Serves them right! by Antipater · · Score: 4, Funny

    That's what you get when you leave valuable certificates near open flames.

    --
    Everything is better with chainsaws.
    1. Re:Serves them right! by Anonymous Coward · · Score: 4, Insightful

      OT, but related (somewhat):

      > Verisign last year and now Microsoft plus SSL encryption being picked apart nothing is really safe on the web anymore.

      Yes, nothing works because M$ doesn't work, then computers as a rule don't work, too. Do people still have some minimal grasp of logic? Or is this a feeble attempt at creating FUD?

      BTW, am I supposed to buy a computer with a "secure boot" with keys from Verisign and M$?

      Let me say that bluntly: enemies of the USA will manage to get keys (at what price, I can only wonder) the next day, while Linux users will have to purchase M$ (copyrighted?) keys to put Linux on their own PCs (maybe).

      Again, secure boot is safe for who, really?

  2. Too little, too late... by darkpixel2k · · Score: 5, Funny

    Microsoft Revokes Trust In 28 of Its Own Certificates

    Old news. I revoked my trust in Microsoft over a decade ago...

    --
    There's no place like ::1 (I've completed my transition to IPv6)
    1. Re:Too little, too late... by wonkey_monkey · · Score: 4, Funny

      +1 Smug.

      --
      systemd is Roko's Basilisk.
  3. Not used maliciously by bhlowe · · Score: 4, Interesting

    The centrifuge operators in Iran may beg to differ..

  4. Re:good! by drinkypoo · · Score: 4, Insightful

    You mean that operating system that is on ultra-mega-extended-barely-alive support isn't getting patches? Shocker.

    You mean that operating system that Microsoft stopped shipping on June 30, 2010, just ten days over a year ago, even though they had already cut off support? The one that you will still be permitted to "downgrade" to until 2015, three more years from now? That one? The truth is that as long as it is being shipped (and it still is, due to downgrade licenses) it is a current product, by definition.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. What would happen ... by k(wi)r(kipedia) · · Score: 4, Interesting

    if, a few years into the future, somebody dusts off an old copy of Windows Vista/7 and runs an update. Will that version of Vista/7 still update? Will it still work?

    I'm asking because of this whole business with certificate revocation. Obviously, to revoke a certificate "successfully" without inconveniencing users, you have to update users' systems to the new certificate using the old one. This has obvious consequences for the maintainance of Secure Boot-enabled systems.