Windows Update threatened by fake SSL certificates

Windows Update threatened by fake SSL certificates Microsoft warned users this weekend that the recent theft of SSL certificates information from DigiNotar could allow clever attackers to install malware on victims' computers via Windows Update.

The potential for a man-in-the-middle attack using this technique, the company said in a blog post, is mostly limited to users of Windows XP and Windows Server 2003, since that software uses a hard-coded list of trusted certificate authorities to verify the security of its updates. While DigiNotar was not originally on the list, a 2008 update added it, meaning that vulnerable users need to take active steps to remove it again.

On newer versions of Windows and Windows server, however, the use of a dynamic list of trusted SSL certificate authorities should keep computers safe from any such tactic, Microsoft noted. Cached copies of the list, however, may have made them vulnerable through September 5.

Ensuring that all SSL certificate authority lists are up-to-date is an important consideration for IT departments, according to experts. The presence of a hacked service on a whitelist could open a business to all sorts of damaging intrusions.