[SingCERT] Fraudulent Digital Certificates vulnerability
- Published on Wednesday, 31 August 2011 18:25
[ Summary ]
There was report of at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store, on all supported releases of Microsoft Windows. This is not a vulnerability in the Microsoft product.
[ Affected Systems ]
All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 which use the Microsoft Certificate Trust List to validate the trust of a certification authority.
[ Impact Analysis ]
It has been confirmed that this fraudulent digital certificate affects all subdomains of google.com and may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.
[ Solution/Workaround ]
As a precautionary measure, Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List. Users of these operating systems will be presented with an invalid certificate error when they browse to a Web site or try to install programs signed by the DigiNotar root certificate. In those cases, users should follow the instructions in the message.