This blog post was updated Sept. 5, 2011 below.
Microsoft’s investigation into the scope and impact of the DigiNotar compromise has continued over the holiday weekend. We’ve now confirmed that spoofed certificates for *.microsoft.com and *.windowsupdate.com are among those issued by the Dutch firm.
Users of Vista and later operating systems have been protected since we released Security Advisory 2607712 on August 29. In addition, customers using Windows Update on any platform are not at risk of exploitation from the windowsupdate.com certificate, since that domain is no longer in use. The Windows Update service uses multiple means of checking that the content distributed is legitimate and uncompromised. For more information on how Microsoft is protecting customers and additional actions customers may take for further protection, please see today’s SRD blog post titled “Protecting yourself from attacks leveraging fraudulent DigiNotar digital certificates."
As always, we continue to take action to ensure the safety of our customers. We have already removed the two DigiNotar root certificates, which encompass what we believe to be the vast majority of the fraudulently issued digital certificates, from the Certificate Trust List. All fraudulent certificates that have been disclosed to Microsoft roll up to one of those two root certificates. We are also working to update Security Advisory 2607712 for customers on XP and Server 2003 and will continue to investigate any additional issues arising from the spoofed *.microsoft.com certificate. We will provide updated information to customers as it becomes available.
Dave Forstrom
Director, Trustworthy Computing
UPDATED Sept. 5, 2011
On Aug. 29, Microsoft released Security Advisory 2607712 to remove two DigiNotar root certificates from the Certificate Trust List. We are in the process of moving all DigiNotar owned or managed Certificate Authorities to the Untrusted Certificate Store, which will deny access to any websites using DigiNotar certificates. Microsoft is preparing to release an update to implement these protections.
Microsoft is offering the update to customers worldwide in order to protect them from this breach. At the explicit request of the Dutch government, Microsoft will delay deployment of this update in the Netherlands for one week to give the government time to replace certificates. Dutch customers who wish to install the update can do so by manually visiting Windows Update or following the instructions available at _ww.microsoft.nl _once the security update is released worldwide.
For further updates and actions customers may take for added protection, visit: http://blogs.technet.com/b/msrc.