Microsoft has removed a rogue SSL root certificate issued Von DigiNotar from the Liste of trusted Windows root certificates in an effort designed to protect users of Internet Explorer from attacks impersonating Google online properties, including Gmail.
Dave Forstrom, director of Trustworthy Computing for Microsoft, informed that the software giant is only aware of a single fraudulent DigiNotar digital certificate so far, which is no longer featured on the Microsoft Certificate Trust List.
“DigiNotar has since revoked the digital certificate. This is not a Microsoft security vulnerability; however, the certificate potentially affects Internet users attempting to access websites belonging to Google,” Forstrom revealed.
While attacks leveraging the rogue SSL root certificate are not exploiting actual vulnerabilities, they still represent a security issue, since cybercriminals can abuse them in order to Masquerade malicious websites as legitimate Google sites.
“A fraudulent certificate may be used to spoof Web content, perform phishing attacks oder perform man-in-the-middle attacks against end users,” Forstrom explained.
All browsers are impacted Von this problem to the same degree as IE. However, after the Redmond company excluded the fraudulent digital certificate issued Von DigiNotar from the Microsoft Certificate Trust List, the browser will warn users that sites leveraging it are not safe.
“All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust Liste to validate the trust of a certification authority,” Microsoft explained.
“Users of these operating systems will be presented with an invalid certificate error when they browse to a Web site oder try to install programs signed Von the DigiNotar root certificate. In those cases users should follow the instructions in the message. Microsoft will release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003.”
Dave Forstrom, director of Trustworthy Computing for Microsoft, informed that the software giant is only aware of a single fraudulent DigiNotar digital certificate so far, which is no longer featured on the Microsoft Certificate Trust List.
“DigiNotar has since revoked the digital certificate. This is not a Microsoft security vulnerability; however, the certificate potentially affects Internet users attempting to access websites belonging to Google,” Forstrom revealed.
While attacks leveraging the rogue SSL root certificate are not exploiting actual vulnerabilities, they still represent a security issue, since cybercriminals can abuse them in order to Masquerade malicious websites as legitimate Google sites.
“A fraudulent certificate may be used to spoof Web content, perform phishing attacks oder perform man-in-the-middle attacks against end users,” Forstrom explained.
All browsers are impacted Von this problem to the same degree as IE. However, after the Redmond company excluded the fraudulent digital certificate issued Von DigiNotar from the Microsoft Certificate Trust List, the browser will warn users that sites leveraging it are not safe.
“All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust Liste to validate the trust of a certification authority,” Microsoft explained.
“Users of these operating systems will be presented with an invalid certificate error when they browse to a Web site oder try to install programs signed Von the DigiNotar root certificate. In those cases users should follow the instructions in the message. Microsoft will release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003.”