×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Revokes Trust In 28 of Its Own Certificates

Soulskill posted about 2 years ago | from the it's-just-been-revoked dept.

Microsoft 78

Trailrunner7 writes "In the wake of the Flame malware attack, which involved the use of a fraudulent Microsoft digital certificate, the software giant has reviewed its certificates, found nearly 30 that aren't as secure as the company would like, and revoked them. Microsoft also released its new updater for certificates as a critical update for Windows Vista and later versions as part of today's July Patch Tuesday. Microsoft has not said exactly what the now-untrusted certificates were used for, but company officials said there were a total of 28 certificates affected by the move. However, the company said it was confident none of them had been compromised or used maliciously. The move to revoke trust in these certificates is a direct result of the investigation into the Flame malware and how the attackers were able to forge a Microsoft certificate and then use it to impersonate a Windows Update server."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

78 comments

Serves them right! (4, Funny)

Antipater (2053064) | about 2 years ago | (#40607917)

That's what you get when you leave valuable certificates near open flames.

Re:Serves them right! (2)

lipanitech (2620815) | about 2 years ago | (#40608015)

Verisign last year and now Microsoft plus SSL encryption being picked apart nothing is really safe on the web anymore.

Re:Serves them right! (3, Informative)

X0563511 (793323) | about 2 years ago | (#40608035)

plus SSL encryption being picked apart

Only if system administrators fail at configuration. [ssllabs.com]

Re:Serves them right! (0)

Anonymous Coward | about 2 years ago | (#40608729)

This doesn't really explain what the problem is. Care to fill in the rest of the class?

Re:Serves them right! (0)

Anonymous Coward | about 2 years ago | (#40609861)

Slashdot has no class, and it's readers are incapable of browsing deeper than one link click. That's why there are so many frustratingly dumb questions here.

Here, have a bowtie [ssllabs.com].

Re:Serves them right! (1)

X0563511 (793323) | about 2 years ago | (#40609887)

Sure. Disable weak protocol versions. Disable weak ciphers. Disable client-initiated renegotiation. Those are some good starts.

Run the test on your site and have a look at the results. That should lead you on the path.

Re:Serves them right! (1)

Anonymous Coward | about 2 years ago | (#40611575)

Run the test on your site and have a look at the results.

An instant "F" grade because it doesn't recognise our CA. Which is ironic, because it is the well-known Big CAs which were the ones hacked in the past year.

But sure, put your trust in what some web page tells you about your security.

Re:Serves them right! (1)

X0563511 (793323) | about 2 years ago | (#40614723)

Cool, so you're a fucking idiot and cannot interpret results.

Scroll the fuck down and look at the details for the other sections of the test.

Re:Serves them right! (0)

Anonymous Coward | about 2 years ago | (#40608153)

Nothing was ever safe on the Web.

Even Bob the Guardian was heavily degraded by the experience, though admittedly he didn't have his key tool.

Re:Serves them right! (1)

trancemission (823050) | about 2 years ago | (#40608419)

The web has never been safe......encryption is not 'safe'

UK intelligence agencies take this approach.

We learnt this from Bletchley Park ;)

Re:Serves them right! (0)

Anonymous Coward | about 2 years ago | (#40608749)

Encryption is perfectly safe if handled correctly. The nature of the web just renders proper handling of encryption impossible.

Re:Serves them right! (4, Insightful)

Anonymous Coward | about 2 years ago | (#40608443)

OT, but related (somewhat):

> Verisign last year and now Microsoft plus SSL encryption being picked apart nothing is really safe on the web anymore.

Yes, nothing works because M$ doesn't work, then computers as a rule don't work, too. Do people still have some minimal grasp of logic? Or is this a feeble attempt at creating FUD?

BTW, am I supposed to buy a computer with a "secure boot" with keys from Verisign and M$?

Let me say that bluntly: enemies of the USA will manage to get keys (at what price, I can only wonder) the next day, while Linux users will have to purchase M$ (copyrighted?) keys to put Linux on their own PCs (maybe).

Again, secure boot is safe for who, really?

Re:Serves them right! (3, Insightful)

symbolset (646467) | about 2 years ago | (#40609771)

The purpose for secure boot is to protect the hardware from non-Windows operating systems. It's irony.

Re:Serves them right! (-1)

Anonymous Coward | about 2 years ago | (#40609943)

> The purpose for secure boot is to protect the hardware from non-Windows operating systems. It's irony.

Yes, I agree. But it is also highly anticompetitive. In my country, it would be object of a serious intervention by authorities.

I guess in the USA there's no department to maintain the competition nowadays; now that M$ turned into what they despise, it's a good thing there's no need to fear antitrust suits by the DOJ or anything. (sarcasm)

Well, let's hope Europe keeps having the sanity to impose another heavy fine if this is just proposed on its territory. Does anyone know how much does of M$ cash remains in bank atm?

Re:Serves them right! (3, Interesting)

mug funky (910186) | about 2 years ago | (#40610637)

the "enemies of the USA" did not create flame, nor compromise these certificates.

you're looking for "USA and it's special friend" there. this is public knowledge now.

Re:Serves them right! (1)

Yvanhoe (564877) | about 2 years ago | (#40613195)

Yes, ad a non-American I feel this way too. Considering that Flame seems to be a governmental virus too, presumably from USA, it asks the question : On the 28 certificates, how many were handled from Microsoft to the Flame writers through a secret deal or through classic corruption ?

Nowadays, it sounds more and more reasonable to assume that Windows with any kind of auto updating is rootable by the CIA. I do not want that, and that will effectively force me to have a redundancy of computers. I doubt that dual-booting, even with encrypted partitions, is an effective protection.

Re:Serves them right! (2)

sFurbo (1361249) | about 2 years ago | (#40611729)

Linux users will have to purchase M$ (copyrighted?) keys to put Linux on their own PCs.

They shouldn't be copyrightable, as they are not the result of creative work, but are random. Just like the HD-DVD code should not have been copyrightable. Whether "should" will have any effect on "are" is another problem.

Re:Serves them right! (1)

Dr_Barnowl (709838) | about 2 years ago | (#40611831)

It's not the public key, which is the part that is distributed, that is the part you need. You need the private key to sign the binaries so that UEFI can use the public key to verify them.

As the name implies, the private key is kept private. You don't need to distribute it, just sign things with it. If the key holder is smart, they'll generate the key on a smart card and arrange matters such that it never leaves the smart card, and then lock it in a safe when they aren't signing binaries.

Once the private key is distributed it loses all it's value, and it will get revoked. This is the reason that Canonical have chosen a bootloader with a more liberal / promiscuous license than GRUB 2 for Secure Boot in Ubuntu ; the GPL license could compel them to release their signing key (even though the FSF has stated that they will play nice and not enforce this).

Re:Serves them right! (1)

benjymouse (756774) | about 2 years ago | (#40611901)

If the key holder is smart, they'll generate the key on a smart card and arrange matters such that it never leaves the smart card, and then lock it in a safe when they aren't signing binaries.

Actually, keys like this are generated within certified hardware security modules (HSMs) which guarantee that the key will *never* leave the unit, not even if an administrator says it's ok. The HSM simply hasn't got the functionality. The HSM will be able to backup the keys in *encrypted* form to an external unit (possibly another HSM) or media. HSMs typically also has an array of anti-tamper protections such as embedding the chips in solid blocks of epoxy, vibration sensors, temperature sensors, accelerometers, power outage sensors, gyroscopes, x-ray/light sensors etc. HSMs will only sign messages or hashes with a private key if a number of users are each presenting a hardware token and PINs at the same time.

Re:Serves them right! (1)

SeaFox (739806) | about 2 years ago | (#40609103)

Yup, looks like Microsoft really got burned on this one. Now their security clout is even more up in smoke.

supposedly forged Microsoft certificates (0)

Anonymous Coward | about 2 years ago | (#40613859)

why didn't microsoft release those three certificates which were supposedly forged and these 28 new certificates?

it's the only way to prove they were not legitimate certificates.

good! (3, Insightful)

X0563511 (793323) | about 2 years ago | (#40608001)

I'm hardly a Microsoft fan, but good! They seem to be taking a proactive approach here.

Re:good! (0)

Anonymous Coward | about 2 years ago | (#40608027)

It's only good if they've rewritten the cert udpater to use the system proxy, otherwise it's still unusable shit.

Re:good! (1)

drinkypoo (153816) | about 2 years ago | (#40608221)

I'm hardly a Microsoft fan, but good! They seem to be taking a proactive approach here.

Yes, they're taking a proactive approach to push upgrades from XP.

Re:good! (0)

Anonymous Coward | about 2 years ago | (#40608409)

You mean that operating system that is on ultra-mega-extended-barely-alive support isn't getting patches? Shocker.

Re:good! (4, Insightful)

drinkypoo (153816) | about 2 years ago | (#40608623)

You mean that operating system that is on ultra-mega-extended-barely-alive support isn't getting patches? Shocker.

You mean that operating system that Microsoft stopped shipping on June 30, 2010 [pcmag.com], just ten days over a year ago, even though they had already cut off support? The one that you will still be permitted to "downgrade" to until 2015, three more years from now? That one? The truth is that as long as it is being shipped (and it still is, due to downgrade licenses) it is a current product, by definition.

Re:good! (1)

oodaloop (1229816) | about 2 years ago | (#40608713)

stopped shipping on June 30, 2010, just ten days over a year ago

I'm not sure what yours says, but my watch says it's 2012 right now. You might want to wind yours up again or something.

Re:good! (1)

drinkypoo (153816) | about 2 years ago | (#40608789)

Er, yeah, brain-o. I do know what year it is, most of the time.

Two years is still an unprecedentedly short time for Microsoft to drop support after ceasing shipping, and in any case, they are still shipping licenses which permit downgrading until 2015 or so, which technically means XP is still shipping and will be for some time even though they have already dropped support. This is unconscionable at best.

Re:good! (3, Insightful)

Anonymous Coward | about 2 years ago | (#40608851)

For many years now, you had to make a conscious effort to actually get XP. And I don't mean some kind of checkbox after an EULA that nobody reads, but you actually had to know about the downgrade rights & exercise them. If you do that, you presumably know what exactly you're doing, and all information about XP support lifetime was publicly available since its release, and widely publicized since the first announcement of nearing termination. I have absolutely zero empathy for someone who'd buy XP today and then complain that they don't have support for it.

Re:good! (0)

Anonymous Coward | about 2 years ago | (#40611425)

I have zero empathy for the shit talking muppets using windows 7 who have more than the 12 necessary system process's OF xp.

Re:good! (2, Insightful)

Anonymous Coward | about 2 years ago | (#40609213)

If you know the right person to call, Microsoft will ship you a copy of OS/2 v1.3. There are many people that will still want to purchase XP for years after all official support has ended.

Re:good! (0)

Anonymous Coward | about 2 years ago | (#40610735)

> an unprecedentedly short time

Please refer to Windows ME for precedent.

Re:good! (1)

smash (1351) | about 2 years ago | (#40610517)

It is not a current product. It is still available, but not supported.

Re:good! (0)

Anonymous Coward | about 2 years ago | (#40610755)

You can still get Win 3.1, so obviously it's a current product, right? GP's logic fails hard.

Re:good! (1)

drinkypoo (153816) | about 2 years ago | (#40610791)

You can still get Win 3.1

Microsoft is not shipping Win3.1, except possibly as part of the full MSDN package, which doesn't count. I know reading is hard, but try harder.

Re:good! (0)

Anonymous Coward | about 2 years ago | (#40611623)

A business can ship anything they want to. If 10 million people said they were ready to purchase DOS 1.0 I'm sure they would consider shipping it. Shipping as a qualifier is retarded. Current has nothing to do with what is being shipped. It means what the latest version (Hint: Singular) of said product is. And that would be Windows 7.

Re:good! (0)

Anonymous Coward | about 2 years ago | (#40614813)

> which doesn't count

And why doesn't MSDN count? it's easier to get packages from there than it is the WinXP downgrade that you call 'still shipping'...

Re:good! (0)

Anonymous Coward | about 2 years ago | (#40610721)

> The truth is that as long as it is being shipped (and it still is, due to downgrade licenses) it is a current product, by definition.

So does that mean that Centos 2.1 is also a 'current product', by definition? It's still 'shipping' and appearing on current mirrors... See http://mirrors.cmich.edu/centos/ ... You don't even need a downgrade license, you can just install it directly!

Re:good! (0)

Anonymous Coward | about 2 years ago | (#40617579)

> You mean that operating system that is on ultra-mega-extended-barely-alive support isn't getting patches?

I'm a Vista user. No, don't cry... no, really, I got over it. I also don't cry any more. When I come home I see my PC with XP and all my suffering magically is mitigated.

A XP CD with a hole in the middle is still better than Vista. Scratch that, W2K was better than Vista!

PS: All my posts to this newsstory are solely my personal opinion.

Re:good?? (2)

nzac (1822298) | about 2 years ago | (#40609919)

I would hardly call it proactive, they have just discarded all the certs that would have been considered insecure a couple of years ago. A company that promotes "trusted computing" should have done this when they were found to be insecure.

The proactive approach would be to upgrade all certs to 2048 bits so they will be as good as current best standardized strength*. This is just removing those that they would consider insecure MD5 and less than 1024 bits. This is bear minimum to try and mitigate the damage.

*they could beet most Linux distros to do this completely.

Reactive (1)

detritus. (46421) | about 2 years ago | (#40611155)

Having had to support Microsoft junk for over 15 years, the cynic in me screams that this was a reactive approach.

We need the secure boot certifcates revoked (0)

Anonymous Coward | about 2 years ago | (#40608017)

The sooner the better. Lets hope malware writers get on with it.

Umm.... (0)

Anonymous Coward | about 2 years ago | (#40608043)

This is bad...why?

Isn't this precisely why revokable ceritificates are a good idea? We learn more about possible flaws in the underlying crypto, we determine something is weaker than we thought, and we can revoke the cert before it's compromised.

We complain about Microsoft doing the RIGHT thing now?

Re:Umm.... (1)

Anonymous Coward | about 2 years ago | (#40608095)

WTF are you talking about?

Where do you see a complaint?

Re:Umm.... (0)

Anonymous Coward | about 2 years ago | (#40613427)

The rest of the comments section? This is an MS thread.

it's just... (0)

Anonymous Coward | about 2 years ago | (#40608079)

...their new program of innovation.

UEFI (0)

Anonymous Coward | about 2 years ago | (#40608159)

Great, let's rely on them to secure all BIOS as well.

So when are they going to tackle the real problem? (1)

Anonymous Coward | about 2 years ago | (#40608185)

Didn't the whole attack hinge on a hash collision of an algorithm that's thought to be probably insecure and obsolete for years? (md5).. That, and it was implemented weakly in the first place?

So when are we going to see md5 replaced by a more secure method? (sha1?)

Re:So when are they going to tackle the real probl (3, Informative)

cryptizard (2629853) | about 2 years ago | (#40608527)

Thats the whole point of this, they replaced old certificates with new ones that don't use MD5.

world keeps on baffling me (1)

znrt (2424692) | about 2 years ago | (#40608347)

"now-untrusted certificates"
"However, the company said it was confident none of them had been compromised or used maliciously"

thats either idiots talking, or someone talking to idiots.

Secure boot - Ha! (0)

Anonymous Coward | about 2 years ago | (#40608397)

Secure boot - Ha!

This is a Microsoft nightmare waiting to happen...

CAPTCHA = installs (amazing! How does it know!)

Vista and later? What about XP? (1)

Anonymous Coward | about 2 years ago | (#40608483)

XP (and early) users beware!

What would happen ... (4, Interesting)

k(wi)r(kipedia) (2648849) | about 2 years ago | (#40608857)

if, a few years into the future, somebody dusts off an old copy of Windows Vista/7 and runs an update. Will that version of Vista/7 still update? Will it still work?

I'm asking because of this whole business with certificate revocation. Obviously, to revoke a certificate "successfully" without inconveniencing users, you have to update users' systems to the new certificate using the old one. This has obvious consequences for the maintainance of Secure Boot-enabled systems.

Re:What would happen ... (2)

drinkypoo (153816) | about 2 years ago | (#40608989)

if, a few years into the future, somebody dusts off an old copy of Windows Vista/7 and runs an update. Will that version of Vista/7 still update? Will it still work?

Depends, will there still be an active activation server?

Re:What would happen ... (2)

k(wi)r(kipedia) (2648849) | about 2 years ago | (#40609099)

Forgot about that one.

Secure Boot appears to be an attempt to impose a Microsoft solution to a security problem. Secure Boot would be perfect for Windows systems because such systems would be EOL'd anyway if Microsoft goes belly up.

But for FLOSS users it would only complicate the maintainance and upgrade paths, even if they decide to use Ubundora's "solutions". There's a chance that a working system would stop working because the boot certificate was revoked.

Who is responsible? (0)

Anonymous Coward | about 2 years ago | (#40609049)

Will Microsoft look into the theory that a government did this and take legal action if proof is obtained?
I would hope they would.

Update available from fake Windows Update server? (2)

Bent Mind (853241) | about 2 years ago | (#40609911)

Microsoft also released its new updater for certificates as a critical update for Windows Vista and later versions as part of today's July Patch Tuesday. ... and how the attackers were able to forge a Microsoft certificate and then use it to impersonate a Windows Update server."

So, to protect users from potentially trusting a fake Windows Update server, Microsoft is releasing this update through a Windows Update server, which potentially could be fake? I suppose that if your computer already trusts a fake server, it is too late. However, I wish Microsoft would go back to providing downloadable updates that didn't depend on Windows Update.

Re:Update available from fake Windows Update serve (1)

benjymouse (756774) | about 2 years ago | (#40612053)

So, to protect users from potentially trusting a fake Windows Update server, Microsoft is releasing this update through a Windows Update server, which potentially could be fake? I suppose that if your computer already trusts a fake server, it is too late

This is not a fix for machines already pwned. It is a precautionary step to foil copycats (or the original attacker returning with a new kit). If a machine gets this update it will be immunized to attacks using these certs. You are correct that if a machine is already pwned or on a net with a fake WU server, that WU server could block this update to remain in the loop. This was never billed as a solution for that problem, however. If you suspect that your machine is pwned though a sophisticated attack like the Flame you really need to nuke it from orbit.

However, I wish Microsoft would go back to providing downloadable updates that didn't depend on Windows Update.

Ahem. Microsoft releases all updates as separately downloadable packages. Windows Update / Microsoft Update is merely a delivery mechanism. The knowledge base article (with download links) for this particular one is found here: http://support.microsoft.com/kb/2728973 [microsoft.com]

Re:Update available from fake Windows Update serve (1)

Bent Mind (853241) | about 2 years ago | (#40619153)

This is not a fix for machines already pwned. It is a precautionary step to foil copycats

I figured as much. I just thought the loop was funny...

Microsoft releases all updates as separately downloadable packages.

I see that this patch does offer an executable download. However, not all patches are available as executables. I'm not on the machine now. So I'm not sure of the patch numbers. However, I have a Vista machine that has 2 security updates, from May, permanently stuck in an install loop. They successfully install about every 10 minutes. I tried several solutions. Microsoft has a FixIt application that told me Windows Update needed to be repaired. It claims to fix it every time it is run. However, the problem does not go away. So I tried to find the downloadable version of the update to see if installing it in Safe Mode would work. No Go. The only file available for download was a .msu file. Unfortunately, msu files require that Windows Update be running with an active network connection. They do not work in Safe Mode. At this point I think a reinstall is needed. However, Vista is a major pain. If I have to reinstall, I'm putting XP back on the machine.

www.nikefreeskobillige.com,nike free run 2 pink (-1)

Anonymous Coward | about 2 years ago | (#40610059)

http://www.nikefreeskobillige.com/nike-air-free-c-352.html
http://www.nikefreeskobillige.com/nike-air-free-c-352.html
herresko norge
hva er den nyeste nike air modellen
hva er nike free run 2 og 3
joggesko nike
jordan nettbutikk
jordan sko norge
kids nike free run +2 red blue
kjp billige nike shox
kjp nike air max
kjp nike air max 2012
kjp nike lunar eclipse sky blue/royal blue
kjpe nike free sko p nett 2012
kjpt billige nike free run p nett
kvinder nike free run + sko sort hvid gr
kb nike free brnesko i norge
lacoste sko til salgs
leather shoes+poster
light blue and light orange
lilla nike

Umm (0)

Anonymous Coward | about 2 years ago | (#40610389)

"The move to revoke trust in these certificates is a direct result of the investigation into the Flame malware and how the attackers were able to forge a Microsoft certificate and then use it to impersonate a Windows Update server."

Umm, isn't it known how they did it? it is my understanding that the forged certs were using MD5 which is easily broken. US-CERT said in 2008 that "MD5 should be considered cryptographically broken and unsuitable for further use."

So, what's the mystery?

Where's the Gates Borg Icon? (2)

chebucto (992517) | about 2 years ago | (#40610697)

I've been away from /. for awhile, so seeing the MS corporate logo in place of the familiar Gates-Borg icon came as a bit of a shock.

When did our dear leaders get rid it? What possible reason, aside from a desire to be more bland, could they have?

Re:Where's the Gates Borg Icon? (0)

Anonymous Coward | about 2 years ago | (#40611719)

The meme retired after suffering from the conversion from boring web 1.0 /. to web 2.0 /. with vectors and gradients graphics.

Re:Where's the Gates Borg Icon? (0)

Anonymous Coward | about 2 years ago | (#40612901)

and useless javascript that prevents me from opening slashdot on my phone. seriously, expanding a topic takes a fucking minute to do so.

Re:Where's the Gates Borg Icon? (1)

Alioth (221270) | about 2 years ago | (#40614573)

Well, they ought to have updated it to be a picture of a flying chair instead.

Re:Where's the Gates Borg Icon? (1)

chebucto (992517) | about 2 years ago | (#40617597)

Well, they ought to have updated it to be a picture of a flying chair instead.

That'd be good. Even better, maybe, would be a flying chair coming off of a sinking Titanic (rearrange the chairs? I'll rearrange the funking chairs!).

Not the first time... (0)

Anonymous Coward | about 2 years ago | (#40612151)

This isn't the first time that a trusted software update mechanism has been used for state sponsored pwnage: SK Hack by an Advanced Persistent Threat [commandfive.com]

In some cases revoking certificates doesn't seem to be an effective response either, with hackers continuing to use malicious code signed prior to the certificate revocation date: Command and Control in the Fifth Domain [commandfive.com] (see page 3)

Inflation sucks (1)

GrumpySteen (1250194) | about 2 years ago | (#40619201)

"found nearly 30"
"found 28"

One of those is more concise, more informative and doesn't attempt to exaggerate by increasing the first digit (which people pay the most attention to) for no reason.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...