Microsoft dumps trust for 28 BPOS-cloud digital certificates

Some had code-signing capabilities.

Microsoft has revoked trust for dozens of self-issued digital certificates for its Business Productivity Online Standard cloud services.

The company released the advisory as a critical, non-security update in addition to its Patch Tuesday run, which contained nine security bulletins for 16 vulnerabilities, including the Windows XML Core Services flaw that was confirmed last month to have been exploited by attackers.

None of the unauthorised digital certificates were known to have been compromised or misused, according to Microsoft, but it advised customers to apply the update immediately, warning the certificates could be used to spoof a website.

“Upon a routine review and out of an abundance of caution, we are placing these certificates in the Untrusted Certificate Store, and replacing them with new certificate authorities that meet our high standard of public-key infrastructure (PKI) management,” said Microsoft.

In total it added 28 intermediate CA certificates for Business Productivity Online Standard suite in different regions to its Untrusted Certificate Store. A “subset” of these had code signing capabilities, Microsoft said.

The digital certificate clean out followed Microsoft’s efforts to tighten its Public Key Infrastructure practices in response to the Flame malware, which exploited the code signing feature of its Terminal Server Licensing Service to issue fraudulent certificates and spread the malware as Microsoft software.

In addition to removing trust for the unauthorised certificates, Microsoft will, in August, release an across the board update that will block certificates using cryptographic keys with less than 2048 bits, even if they are signed by a trusted authority. The update could impact websites, email, applications, and Active X controls that rely on 1024 bit cryptographic key certificates.

Microsoft today also released an automatic updater for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 that checks for a list of untrusted certificates once every 24 hours.

The feature was made available as an option under Windows Update in June, but will now be available as a non-security update, meaning it can be applied to all customers that have opted in to Automatic Updates.

Windows XP and Windows Server 2003 computers will continue to receive Untrusted Certificate Store updates via Windows Update, said Microsoft.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about CA TechnologiesMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place