ID: IRCNE2011091240
Date: 2011-09-06
According to "computerworld", Microsoft said Sunday that a digital certificate stolen from a Dutch company could not be used to force-feed customers malware through its Windows Update service.
"Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers," said Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), in a Sunday blog post. "The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued and secured by Microsoft."
Seven of the 531 certificates now known to have been fraudulently obtained by hackers in July were for the domains update.microsoft.com and windowsupdate.com, while another six were for *.microsoft.com.
According to Microsoft, the certificates issued for windowsupdate.com couldn't be used by attackers because the company no longer uses that domain. Windows Update is now at windowsupdate.microsoft.com.
As Ness said, updates delivered via Microsoft's services are signed with a separate certificate that's closely held by the company. Without that code-signing certificate, attempts to deliver malware disguised as an update to a Windows PC would fail.
Other vendors, including Apple, also sign software updates with a separate certificate. Like its competitors, Microsoft will also permanently block all DigiNotar certificates.
Related Link:
Hackers may have stolen over 200 SSL certificates
- 2