Microsoft revokes 28 of its code-signing certificates
Posted on 11 July 2012.
The long awaited patch for the CVE-2012-1889 vulnerability that has been heavily exploited in the wild and the exploit for which has even been included in the Blackhole Exploit Kit is not the only big news from the latest Patch Tuesday.

Among other things, Microsoft has notified users that it has made available an automated Microsoft Fix it solution (a workaround - not a patch) that disables the Windows Sidebar and Gadgets on supported editions of Windows Vista and Windows 7, because of a number of vulnerabilities that involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets.

The vulnerabilities in question will be revealed in a scheduled talk at the Black Hat security conference later this month in Las Vegas by two security researchers who shared their knowledge with Microsoft beforehand in order not to endanger users.

The company has also issued an advisory notifying users that it has revoked trust in 28 of its own intermediate CA certificates.

"Upon a routine review, we are placing these certificates in the Untrusted Certificate Store, and replacing them with new certificate authorities that meet our high standard of public-key infrastructure (PKI) management," they said. "We are unaware of any misuse of the certificate authorities, but are taking pre-emptive action to protect customers."

The revoked certificates could be uses to spoof content, perform phishing attacks, or perform man-in-the-middle attacks, and this move by Microsoft is the result of the discovery of the misuse of the company's trusted digital signatures by the recently discovered Flame malware.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th