Hi everyone. This is Maarten Van Horenbeeck. I just joined the Microsoft Security Response Center a few months ago, and am the program manager working on the issue described in Microsoft Security Advisory (961509), which we just released.
Earlier today, two researchers presented at a security conference on a novel way of implementing collision attacks on digital certificates signed using the MD5 algorithm. Attacks on MD5 have been known for some time, but were never considered to be very practical. This type of attack allows the generation of additional digital certificates with different content, but the same digital signature as an original certificate. While the presentation today didn’t release details that could be used for active attacks, we know that customers might have questions about this issue.
This is not a vulnerability in our products, it is in fact an issue that affects the industry as a whole. To reach out to our customers and provide guidance, we decided to release security advisory 961509 to help customers assess the risk posed by this new find. Over Christmas, Microsoft has also been working with several certificate authorities to make them aware of the issue and encourage them to move to more robust technologies. We hope this advisory helps address some of your concerns.
My colleague Damian Hasse at the Microsoft Security Response Center Engineering has compiled an overview of the techniques that you can consider to defend against any future exploitation on the Security Vulnerability Research and Defense (SVRD) blog. They review the effectiveness of techniques and tools such as Extended Validation certificates and certificate revocation checking in more depth.
Cheers,
Maarten
*This posting is provided “AS IS” with no warranties, and confers no rights*”