Microsoft issue fixes, blacklists more DigiNotar certificates

Microsoft and Adobe released security fixes today, and Microsoft blacklisted six more root certificates in the wake of a breach at DigiNotar that allowed fraudulent SSL certificates to be issued.

As part of its monthly Patch Tuesday, Microsoft released five security bulletins, none of which are critical, plugging 15 holes. Affected software includes Windows, Office, Excel, SharePoint, Windows Server, and Office Web Apps.

More details are in the advisory, which Microsoft had accidentally posted online four days early before removing it to save it for today.

Meanwhile, Microsoft revoked certificates signed by two certificate authorities, Entrust and Cybertrust, which had issued certificates on behalf of DigiNotar. DigiNotar was hacked and more than 500 SSL (Secure Sockets Layer) certificates were fraudulently issued, including one that was used in an attack involving spoofing Google.com to snoop on Gmail of users in Iran.

Microsoft, Google Chrome, Firefox, Opera, Adobe, and Apple now blacklist the certificates.

Meanwhile, Adobe today issued fixes for critical vulnerabilities in Adobe Reader and Acrobat that could allow an attacker to take control of the computer. More details are in the Adobe advisory.

Update September 14 at 11:41 a.m. PT: Dave Rockvam, general manager of certificate services and chief marketing officer at Entrust, told CNET that his firm had ended its cross-certification agreement with DigiNotar about a year ago as part of a move away from cross-certifications in general, so no new certificates from DigiNotar would be accepted. And when the DigiNotar breach became public Entrust revoked its legacy DigiNotar certificates and asked Microsoft to put them on the blacklist to be safe. "We just want to make sure it's clear that Entrust was in no way compromised by the breach at DigiNotar," he said.