Microsoft is rolling out a worldwide patch that deems all DigiNotar SSL certificates to be untrustworthy except for OSes in the Netherlands, as requested by the Dutch government.
All certificates issued by DigiNotar, a Dutch provider of Secure Socket Layer (SSL) certificates, are untrustworthy Microsoft concluded after an investigation into the matter. The certificates are to be moved to the Untrusted Certificate List Tuesday.
The patch fixes the problem for all versions of Windows and Windows Server, including Windows XP and Server 2003, Dave Forstrom, director of Microsoft's Trustworthy Computing division, announced in a Security Advisory.
As of 29 August the Certificate Trust List (CTL) was revised to remove DigiNotar from the list of Certificate Authorities (CAs). That list, with valid root certificates, is automatically updated for Windows Vista, Windows 7 and Windows Server 2008. Windows Vista and higher check every seven days for changes in the list, so the last time these OSes were vulnerable for the 500 rogue DigiNotar certificates was Sept. 5, Microsoft stated.
Windows XP and Windows Server 2003 work with a static list that has to be updated trough a security patch. "We have extended our support with this update so all customers using Windows XP, Windows Server 2003, and all Windows supported third-party applications are protected," Forstrom wrote. After this update, all DigiNotar certificates are no longer trusted for HTTPS connections.
The patch will be rolled out worldwide with one exception. By government request Microsoft has refrained from patching the OSes in the Netherlands, the company said in a Dutch press release. "At the explicit request of the Dutch government, Microsoft has decided not to automatically execute the update for the Netherlands," Microsoft Netherlands stated.
The week-old CTL update only revoked a part of the DigiNotar certificates. As of Tuesday it also includes certificates from the "PKIoverheid" root used by the Dutch government and certain companies. The Dutch government requested a delay for the update because it wants to give organizations and businesses the chance to replace the certificates. The Dutch government banned DigiNotar themselves in a very rare nightly press conference Friday night local time. Administrators that want to patch their systems can do this themselves by following instructions issued by Microsoft.
The DigiNotar hack was claimed by "Comodohacker" in a posting Monday on Pastebin. Comodohacker claimed to breach DigiNotar to punish the Dutch government for the actions of its soldiers in Srebrenica, where 8,000 Muslims were killed by Serbian forces in 1995 during the Bosnian War.
More than 500 fraudulent SSL certificates were issued by DigiNotar after its systems were breached. A report released on Monday by DigiNotar's auditor, Fox-IT, found that more than 300,000 mostly Iranian unique IP addresses may have accessed Google account information under the fraudulent certificate, meaning the data exchanged with Google could have been intercepted.