As part of its response to the Flame malware and its usage of a forged Microsoft certificate to sign malicious files, Microsoft has changed the way that Windows handles certificates, releasing an automatic updater function that will recognize and flag untrusted certificates.
The new functionality is a major change in the way that Windows deals with certificate revocation lists and gives the company a mechanism to quickly revoke trust in forged or stolen certificates. Microsoft also made a change that will invalidate all certificates with keys shorter than 1024 bits in August. Even if those certificates are actually valid and are signed by a trusted root, Microsoft will treat them as invalid because of the short key length.
“This new automatic updater feature provides a mechanism that allows Windows to specifically flag certificates as untrusted. With this new feature, Windows will check daily for updated information about certificates that are no longer trustworthy. In the past, movement of certificates to the untrusted store required a manual update,” Microsoft said of the change to the certificate revocation mechanism.
The automatic updater for certificate revocations is available for Windows Vista SP 2, Windows 7, Windows Server 2008 SP 2 and Windows Server 2008 R2. The change is a direct response to the usage of a forged Microsoft certificate by the attackers behind the Flame malware. Those attackers were able to use a bug in the way that Microsoft’s Terminal Services licensing server worked in order to produce a forged, but valid, certificate that they then used to sign a binary and impersonate Windows Update. That was one of the methods that the attackers used to spread Flame from machine to machine.
This attack was a black eye for Microsoft and, as one might imagine, did not sit well with the security team in Redmond. So, the automatic update for untrusted certificates is one part of the company’s response.
“In the past, customers would have had to make changes to the Untrusted Certificate Store by initiating updates through Windows Update or by using a manual method. For example, the updates published in KB 2718704, which describes an update to move unauthorized certificates to the untrusted store, had to be initiated manually. This new feature provides dynamic updates for revocation information so that Windows clients can be updated with untrusted certificates at most within a day of the information being published (no user interaction required). This new automatic updater will enable Certificate Authorities to report information about their revoked CA certificates to Microsoft and have them publicly untrusted in a much faster manner as compared to propagating this information by using CRLs,” Kurt Hudson of Microsoft wrote in a blog post.