Microsoft issue fixes, blacklists more DigiNotar certificates

Microsoft fixes 15 holes in Windows, Office, and other software, and blacklists six more root certificates. Also, Adobe issues critical security updates for Reader and Acrobat.

Here is the list of DigiNotar root certificates that Microsoft has added to the Windows Untrusted Certificate Store in order to protect users from Secure Sockets Layer spoofing attacks.
Here is the list of DigiNotar root certificates that Microsoft has added to the Windows Untrusted Certificate Store to protect users from Secure Sockets Layer spoofing attacks. Microsoft

Microsoft and Adobe released security fixes today, and Microsoft blacklisted six more root certificates in the wake of a breach at DigiNotar that allowed fraudulent SSL certificates to be issued.

As part of its monthly Patch Tuesday, Microsoft released five security bulletins, none of which are critical, plugging 15 holes. Affected software includes Windows, Office, Excel, SharePoint, Windows Server, and Office Web Apps.

More details are in the advisory, which Microsoft had accidentally posted online four days early before removing it to save it for today.

Meanwhile, Microsoft revoked certificates signed by two certificate authorities, Entrust and Cybertrust, which had issued certificates on behalf of DigiNotar. DigiNotar was hacked and more than 500 SSL (Secure Sockets Layer) certificates were fraudulently issued, including one that was used in an attack involving spoofing Google.com to snoop on Gmail of users in Iran .

Microsoft, Google Chrome, Firefox, Opera, Adobe, and Apple now blacklist the certificates.

Meanwhile, Adobe today issued fixes for critical vulnerabilities in Adobe Reader and Acrobat that could allow an attacker to take control of the computer. More details are in the Adobe advisory.

Update September 14 at 11:41 a.m. PT: Dave Rockvam, general manager of certificate services and chief marketing officer at Entrust, told CNET that his firm had ended its cross-certification agreement with DigiNotar about a year ago as part of a move away from cross-certifications in general, so no new certificates from DigiNotar would be accepted. And when the DigiNotar breach became public Entrust revoked its legacy DigiNotar certificates and asked Microsoft to put them on the blacklist to be safe. "We just want to make sure it's clear that Entrust was in no way compromised by the breach at DigiNotar," he said.

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Galleries from CNET
15 crazy old phones from a Korean museum (pictures)
10 gloriously geeky highlights from 2014 (pictures)
2015.5 Volvo XC60: updated tech, understated design
Busted! CNET readers show us their broken devices (pictures)
Take a closer look at the BlackBerry Classic (pictures)