UPDATED–In the wake of the Flame malware attack, which involved the use of a fraudulent Microsoft digital certificate, the software giant has reviewed its certificates and found nearly 30 that aren’t as secure as the company would like and has revoked them. Microsoft also released its new updater for certificates as a critical update for Windows Vista and later versions as part of today’s July Patch Tuesday.
Microsoft has not said exactly what the now-untrusted certificates were used for, but company officials said there were a total of 28 certificates affected by the move. Many of the affected certificates are listed simply as “Microsoft Online Svcs”. However, the company said that it was confident that none of them had been compromised or used maliciously. The move to revoke trust in these certificates is a direct result of the investigation into the Flame malware and how the attackers were able to forge a Microsoft certificate and then use it to impersonate a Windows Update server.
“As a continuation of this effort, we reviewed a number of Microsoft digital certificates and found several which do not meet our standards for security practices. As an extra precautionary measure, we released Security Advisory 2728973 today to announce the availability of a Critical, non-security update that moves several of these certificates into the Untrusted Certificate Store. None of the certificates involved are known to have been breached, compromised, or otherwise misused. This is a pre-emptive cleanup to ensure a high bar for any certificates owned by Microsoft,” Gerardo Di Giacomo and Jonathan Ness of the Microsoft Security Response Center wrote in an explanation of the change.
During the analysis of the Flame malware, researchers discovered that one of the unique features of the worm was its use of a forged Microsoft certificate. The attackers used that certificate to set up a seemingly valid Windows Update server inside an infected organization and then have clients connect to the server, ostensibly for Microsoft updates, and then install the Flame malware on those machines.
That episode led to several changes in the way that Microsoft handles certificates, and the revocation of trust in several of its own certificates is one of the more dramatic results. Several weeks ago the company also announced that it would be releasing a mechanism for Windows that would automatically update the status of certificates in the certificate store. That was released as an optional update for Windows, but today Microsoft changed that to a critical, non-security update, which will install it automatically on many machines.
“This new feature provides dynamic updates, allowing Windows clients to be updated with untrusted certificates once per day without requiring user interaction,” Di Giacomo and Ness wrote.
This story was updated on July 10 to add the number of certificates marked as untrusted.