Microsoft releases patch to shun DigiNotar certificates
Microsoft to release 13 bulletins covering 22 vulnerabilities on its August Patch Tuesday
Microsoft has announced the release of an out-of-band patch to revoke any trust in certificates issued by DigiNotar.
According to a statement by Dave Forstrom, director of Microsoft Trustworthy Computing, security advisory 2607712 has been updated based on it deeming that "all DigiNotar certificates [are] untrustworthy". Microsoft has moved them to the Untrusted Certificate Store and extended support with the update so all users of Windows XP, Windows Server 2003 and Windows-supported third-party applications are protected.
Forstrom said: “We recognise this issue as an industry problem and we have been actively collaborating with certificate authorities, governments and software vendors to help protect our mutual customers.”
The patch will only require a restart for all editions of Windows XP and Windows Server 2003. The installer will stop the required services, apply the update and then restart the services.
According to the Security Garden blog, the release of the update will be delayed for the Netherlands at the request of the Dutch government.
Andrew Storms, director of security operations at nCircle, said: “It's game over for DigiNotar. Very soon it will officially no longer be a valid entity to issue certificates.
“Last week Microsoft removed DigiNotar's commercial root certificates from its products and this week has moved those two certificates and three others related to the Dutch government into the ‘untrusted' category. The result is that all Windows computers explicitly do not trust DigiNotar.
“Cumulatively, these steps will have a monumental impact on the Dutch government's websites and their ability to function. The problem for the Dutch online infrastructure is very serious; even the Dutch government was quoted in a press release yesterday saying that its own websites could not be trusted.
“I'm sure the Dutch government is learning a hard, but important, lesson from this ongoing fiasco. Trusting DigiNotar's critical online infrastructure role without spending the time to independently audit its operations has undoubtedly cost the Dutch government a lot of time and money. It has certainly caused a great deal of international embarrassment.”