Microsoft revokes DigiNotar certificates from Windows, Mac users still vulnerable

Filed Under: Apple, Internet Explorer, Microsoft, OS X, Privacy, Vulnerability

Windows Update for 2607712Microsoft has just released an update to security advisory 2607712 permanently moving all five of DigiNotar's root certificates to the "revoked" certificate store.

How is this different than the previous update Microsoft released?

  1. It provides protection for all supported versions of Windows (XP, 2003, Vista, 2008, 7 and 2008R2).
  2. It covers all five root certificates owned by DigiNotar. The previous release only blocked two.
  3. Users are no longer presented with a certificate warning, they are prevented from accessing sites with SSL certificates issued by DigiNotar.

The third point is a particularly important one. Previously users were presented with a dialog asking them if they wish to proceed (which most users click through) as seen below.

IE untrusted certificate warning

Considering the risk involved with these compromised certificates Microsoft has taken the additional step of fully revoking them. This prevents the user from clicking though, effectively blocking all access to sites using DigiNotar keys.

IE revoked certificate block

All Windows users using automatic updates will apply this update and no reboot is required (except for Windows XP). What about the users in the Netherlands? Won't they be prevented from accessing a lot of secure websites with legitimate certificates from DigiNotar?

Yes. Microsoft has worked with the Dutch authorities to delay the rollout of this update to users in the Netherlands and their territories until next Tuesday (Patch Tuesday coincidentally).

This will give the many .nl websites an opportunity to replace their DigiNotar certificates with something more trustworthy. Users in the Netherlands will not be prevented from applying the update, it simply won't automatically apply until next Tuesday.

What about Apple users? Well, apparently they are too busy playing Angry Birds and making pictures in Photoshop to worry about pesky certificate issues.

My advice if you run a Mac? Use BootCamp and Windows 7 until Apple decides to provide a patch. Or I guess you could use Firefox (not Chome, it also uses Apple's KeyChain)...

Thanks to the JoshMeister for correcting me on Chrome using the Apple KeyChain, not its separate list like on Windows and Linux.

Update: Some folks have been asking for more information on this story. Please find the missing piece of the story in these previous posts:

, , , , , , , ,

You might like

9 Responses to Microsoft revokes DigiNotar certificates from Windows, Mac users still vulnerable

  1. victor · 957 days ago

    Use bootcamp & windows 7? No intelligent Mac user uses IE. Are 90 years old? Lol

  2. les pearson · 957 days ago

    Thanks for the advice but your explanation is less than useful, did you not think to explain what this means in laymen's terms? Does the man on the street know anything about any of the five root certificates owned by DigiNotar? What is the "revoked" certificate store - why the Netherlands. You explain nothing at all here!

  3. Dave Nelson · 957 days ago

    "What about Apple users? Well, apparently they are too busy playing Angry Birds and making pictures in Photoshop to worry about pesky certificate issues."

    Hey! That's a slam...

    So, I just now opened Keychain Assistant, selected System Roots, searched for DigiNotar and deleted the root certificate. Am I done?

  4. the JoshMeister · 957 days ago

    Actually, Chrome for Mac is not a good solution because it uses the Mac OS X Keychain (same as Safari):
    https://secure.wikimedia.org/wikipedia/en/wiki/Ke... http://security.thejoshmeister.com/2011/08/how-to...

    Also, as I pointed out in my article (second URL above) this issue affects mobile platforms too. Windows Phone 7 is not affected, but Apple's iOS (which runs on iPhone, iPad, and iPod touch) is affected and still unpatched. Apple needs to patch both Mac OS X and iOS to remove the DigiNotar certificate.

    • Kevin · 956 days ago

      Chrome for Mac does use Keychain, but in addition, in its own code, Chrome has blacklisted DigiNotar as a trusted certificate. http://nakedsecurity.sophos.com/2011/08/31/google...

      • Chester Wisniewski · 956 days ago

        Unfortunately Chrome for Mac does not honor the Google blacklist. I confirmed this on my Lion desktop, so for now you need to follow the instructions from ps | Enable mentioned in the comment above.

  5. Windows XP requires a reboot

    • Chester Wisniewski · 956 days ago

      I updated the article, thanks for the comment. Not a lot of XP machines around here to test on these days.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.