Microsoft is taking additional steps to address weaknesses in its digital certificates, revoking an additional two dozen of the cryptographic keys used to validate the authenticity of its software.
The certificates were revoked because the software giant said they were protected with a weaker encryption algorithm, making them vulnerable to being cracked and used by cybercriminals, according to the Microsoft security advisory issued Tuesday the same day as the company’s July 2012 Patch Tuesday round of patches. The move is part of an ongoing project by the software maker to improve the security of its Windows Update mechanism after cybercriminals spoofed it in targeted attacks against people in Iran as part of a nation-state intelligence gathering operation.
“Upon a routine review, we are placing these certificates in the Untrusted Certificate Store, and replacing them with new certificate authorities that meet our high standard of public-key infrastructure (PKI) management,” Microsoft said. “We are unaware of any misuse of the certificate authorities, but are taking pre-emptive action to protect customers.”
The revocation includes an update for all supported releases of Microsoft Windows. It also provides Windows systems with an automated process to check a revocation list, a feature that was unveiled last month, but is being pushed out via the company’s automated software update mechanism. Additional information about the digital certificate revocation is available via Microsoft’s TechNet Knowledge Base article.
An update due out in August invalidates digital certificates using the RSA algorithm with key length less than 1024 bits, “even if they are otherwise valid and signed by a trusted certificate authority,” explained Gerardo Di Giacomo and Jonathan Ness, members of Microsoft’s security team in a blog entry outlining the changes.
Flame malware toolkit prompts focus on digital certs
The updates are all part of an effort by Microsoft to harden its internal PKI practices and its Windows Update channel PKI handling after sophisticated cybercriminals exploited weaknesses to use the digital certificates in a targeted attack.
In June, Microsoft revoked digital certificates following analysis of the Flame malware, a cyberespionage malware toolkit. The attackers used digital certificates to spoof the Windows Update mechanism on victim’s machines. The targeted attack – impacting less than 200 people in Iran – is believed to have been carried out by a joint U.S. and Israeli intelligence operation.
The attackers appeared to use a cryptographic collision attack to against the weakened encryption algorithm. Security experts say the software giant fears that other financially motivated cybercriminals can copy the technique used by the Flame malware authors to conduct more widespread attacks.