Microsoft yanks 28 security certificates
By Nicole Kobie
Posted on 11 Jul 2012 at 09:18
Microsoft has pulled another 28 security certificates, saying hackers have yet to compromise them.
Last month, Microsoft withdrew three certificates and hardened its Update system after it was revealed that the Flame malware was being installed via a spoofed Windows Update system using a faked Microsoft security certificate.
Microsoft said the latest certificates to be revoked were uncovered as part of a general clean up, and not because they were being used by hackers.
None of the certificates involved are known to have been breached, compromised, or otherwise misused
"None of the certificates involved are known to have been breached, compromised, or otherwise misused," said researchers Gerardo Di Giacomo and Jonathan Ness in a blog post for the Microsoft Security Response Center. "This is a pre-emptive cleanup to ensure a high bar for any certificates owned by Microsoft."
The pair gave little detail as to what the issue was with the certificates, other than to say they "do not meet our standards for security practices".
Following the Flame outbreak, Microsoft released an automatic updater for security certificates, in order to revoke forged ones more quickly. Now, that will be pushed out as a critical "non-security" update to all Automatic Update Windows users, rather than offered as an optional download. "This new feature provides dynamic updates, allowing Windows clients to be updated with untrusted certificates once per day without requiring user interaction," Di Giacomo and Ness said.
While the revoked certificates affect all supported Windows systems, the daily updater is only available for OSes going back to Vista. Earlier systems, notably XP and Server 2003, will continue to receive certificate warnings via Windows Update as before.
Microsoft issued nine updates as part of yesterday's Patch Tuesday, including one addressing a critical drive-by attack.
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- The government website that doesn't work with IE, Chrome, Firefox, Safari, Macs or smartphones
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software