Microsoft today revoked trust for the four digital certificates inadvertently leaked last week by networking gear manufacturer D-Link.
Microsoft said it has modified its Certificate Trust List removing trust for the four certs, which could have been used to sign malicious code used in attacks.
The certs included one belonging to D-Link and another from Alpha Networks, both of which issued by Symantec. The other two, for Keebox and TRENDnet, were issued by GoDaddy.
Microsoft said that client versions of Windows 8, 8.1 and 10, as well as Windows Server 2012, Windows Server 2012 R2, Windows RT and Windows Phone 8 and 8.1 have automatic updaters that will revoke the certs without the need for user interaction. Windows Vista, Windows 7 and Windows Server 2008 and 2008 R2 also have an automatic installer available but it is not automatically installed with the respective operating systems. Those users can either install the automatic updater or can install update 2813430, Microsoft said.
The issue surfaced last Friday when a Dutch tech website reported that private keys used by D-Link to sign its software were found in the company’s open source firmware packages. Dutch security company Fox-IT confirmed the findings as well.
Leaking a legitimate code-signing certificate has potentially serious consequences. The use of stolen digital certificates is a common tactic among malware authors and attackers looking for a way to get their code past security systems. Many security technologies will trust files that are signed and let them pass. Many APT groups have made use of lost or stolen certs to sign malware used in targeted attacks
The keys were found in firmware available for download from D-Link for the company’s DCS-5020L security camera; in addition to the private D-Link keys, passphrases and other information necessary to sign code were also available.
“I think this was a mistake by whoever packaged the source code for publishing. The code signing certificate was only present in one of the source code packages with a specific version,” Fox-IT researcher Yonathan Klijnsma told Threatpost. “The version above and below the specific package did not contain the folder in which the code signing certificates resided. A simple mistake of folder exclusion as far as I could see.”
The D-Link certificate, the company said, was published Feb. 27 and was available online for more than six months. It was expired on Sept. 3. It’s unknown whether the certificates were used to sign malware in any active attacks.
