Microsoft Security Advisory: Fraudulent digital certificates could allow spoofing

Article translations Article translations
Article ID: 2616676 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

Microsoft has released a Microsoft security advisory about this issue for IT professionals. This update is released for all supported versions of Microsoft Windows. The update revokes the trust of the following DigiNotar root certificates by putting them in the Microsoft Untrusted Certificate Store:
  • DigiNotar Root CA
  • DigiNotar Root CA G2
  • DigiNotar PKIoverheid CA Overheid
  • DigiNotar PKIoverheid CA Organisatie - G2
  • DigiNotar PKIoverheid CA Overheid en Bedrijven
  • DigiNotar Root CA Issued by Entrust (2 certificates)
  • DigiNotar Services 1024 CA Issued by Entrust
  • DigiNotar Cyber CA Issued by GTE CyberTrust (3 certificates)
The security advisory contains additional security-related information. To view the security advisory, visit the following Microsoft website:
http://technet.microsoft.com/security/advisory/2607712

MORE INFORMATION

Download information

The following files are available for download from the Microsoft Download Center:

Collapse this imageExpand this image
Download
Download the Update for Windows 7 (KB2616676) package now.

Collapse this imageExpand this image
Download
Download the Update for Windows 7 for x64-based Systems (KB2616676) package now.

Collapse this imageExpand this image
Download
Download the Update for Windows Server 2008 R2 for Itanium-based Systems (KB2616676) package now.

Collapse this imageExpand this image
Download
Download the Update for Windows Server 2008 R2 x64 Edition (KB2616676) package now.

Collapse this imageExpand this image
Download
Download the Update for Windows Vista (KB2616676) package now.

Collapse this imageExpand this image
Download
Download the Update for Windows Vista for x64-based Systems (KB2616676) package now.

Collapse this imageExpand this image
Download
Download the Update for Windows Server 2008 (KB2616676) package now.

Collapse this imageExpand this image
Download
Download the Update for Windows Server 2008 for Itanium-based Systems (KB2616676) package now.

Collapse this imageExpand this image
Download
Download the Update for Windows Server 2008 x64 Edition (KB2616676) package now.

Collapse this imageExpand this image
Download
Download the Update for Windows XP (KB2616676) package now.

Collapse this imageExpand this image
Download
Download the Update for Windows XP x64 Edition (KB2616676) package now.

Collapse this imageExpand this image
Download
Download the Update for Windows Server 2003 (KB2616676) package now.

Collapse this imageExpand this image
Download
Download the Update for Windows Server 2003 for Itanium-based Systems (KB2616676) package now.

Collapse this imageExpand this image
Download
Download the Update for Windows Server 2003 x64 Edition (KB2616676) package now.

Release Date: September 19, 2011

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Known issues

  • We have finished the investigation into an issue with update 2616676 for all Windows XP-based and Windows Server 2003-based systems.

    Before September 19, 2011, the versions of update 2616676 for Windows XP and for Windows Server 2003 contained only the latest six digital certificates cross-signed by GTE and Entrust. These versions of the update did not contain the digital certificates that were included in update 2607712 or 2524375. Update 2616676 also incorrectly proceeded update 2607712. Therefore, before September 19, 2011 if you installed updated 2616676 and had not already installed update 2607712 or update 2524375, your system would not have been protected from the use of fraudulent digital certificates as described in security advisory 2607712.

    On September 19, 2011, we rereleased update 2616676 to address this issue. If you are running Windows XP or Windows Server 2003 and you have not applied updates 2524375, 2607712, and 2616676, you should install cumulative update 2616676.

    Most systems have automatic updating enabled. If you do have automatic updating enabled, you do not have to take any action because the update 2616676 will be installed automatically if any certificates are missing from the Microsoft Untrusted Certificate Store. Update 2616676 will not be reoffered to systems that have updates 2524375, 2607712 and 26116676 already installed.

    All releases of Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 are not affected by this issue.
  • A restart is required for all editions of Windows XP and of Windows Server 2003.
  • A restart is not required for all editions of Windows Vista, of Windows 7, of Windows Server 2008, and of Windows Server 2008 R2. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, you receive a message that prompts you to restart.
  • The Dutch government has additional information available about this incident and about the use of any DigiNotar certificates. For more information, visit the following third-party website:
    http://www.logius.nl
    Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
  • Some Windows Server 2003 customers may also notice that two SHA2 certificates are missing. The fingerprints of these certificates are as follows:
    • 43D9BCB568E039D073A74A71D8511F7476089CC3
    • 5DE83EE82AC5090AEA9D6AC4E7A6E213F946E179
    These certificates are missing because, by default, Windows Server 2003 does not support SHA2 certificates. Only systems that have update 938397 installed will have these certificates installed.

Properties

Article ID: 2616676 - Last Review: October 24, 2011 - Revision: 4.1
APPLIES TO
  • Windows 7 Service Pack 1, when used with:
    • Windows 7 Enterprise
    • Windows 7 Professional
    • Windows 7 Ultimate
    • Windows 7 Home Premium
    • Windows 7 Home Basic
  • Windows 7 Enterprise
  • Windows 7 Professional
  • Windows 7 Ultimate
  • Windows 7 Home Premium
  • Windows 7 Home Basic
  • Windows Server 2008 R2 Service Pack 1, when used with:
    • Windows Server 2008 R2 Standard
    • Windows Server 2008 R2 Enterprise
    • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 Service Pack 2, when used with:
    • Windows Server 2008 for Itanium-Based Systems
    • Windows Server 2008 Datacenter
    • Windows Server 2008 Enterprise
    • Windows Server 2008 Standard
    • Windows Web Server 2008
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Web Server 2008
  • Windows Vista Service Pack 2, when used with:
    • Windows Vista Business
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Starter
    • Windows Vista Ultimate
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business 64-bit Edition
  • Windows Vista Service Pack 1, when used with:
    • Windows Vista Business
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Starter
    • Windows Vista Ultimate
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business 64-bit Edition
  • Microsoft Windows Server 2003 Service Pack 2, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows XP Service Pack 3, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
Keywords: 
kbexpertiseinter kbinfo kbsecadvisory kbsecurity kbsecvulnerability KB2616676

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com