Microsoft dumps trust for 28 BPOS-cloud digital certificates

Some had code-signing capabilities.
  • Liam Tung (CSO Online (Australia))
  • — 11 July, 2012 09:26

Microsoft has revoked trust for dozens of self-issued digital certificates for its Business Productivity Online Standard cloud services.

The company released the advisory as a critical, non-security update in addition to its Patch Tuesday run, which contained nine security bulletins for 16 vulnerabilities, including the Windows XML Core Services flaw that was confirmed last month to have been exploited by attackers.

None of the unauthorised digital certificates were known to have been compromised or misused, according to Microsoft, but it advised customers to apply the update immediately, warning the certificates could be used to spoof a website.

“Upon a routine review and out of an abundance of caution, we are placing these certificates in the Untrusted Certificate Store, and replacing them with new certificate authorities that meet our high standard of public-key infrastructure (PKI) management,” said Microsoft.

In total it added 28 intermediate CA certificates for Business Productivity Online Standard suite in different regions to its Untrusted Certificate Store. A “subset” of these had code signing capabilities, Microsoft said.

The digital certificate clean out followed Microsoft’s efforts to tighten its Public Key Infrastructure practices in response to the Flame malware, which exploited the code signing feature of its Terminal Server Licensing Service to issue fraudulent certificates and spread the malware as Microsoft software.

In addition to removing trust for the unauthorised certificates, Microsoft will, in August, release an across the board update that will block certificates using cryptographic keys with less than 2048 bits, even if they are signed by a trusted authority. The update could impact websites, email, applications, and Active X controls that rely on 1024 bit cryptographic key certificates.

Microsoft today also released an automatic updater for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 that checks for a list of untrusted certificates once every 24 hours.

The feature was made available as an option under Windows Update in June, but will now be available as a non-security update, meaning it can be applied to all customers that have opted in to Automatic Updates.

Windows XP and Windows Server 2003 computers will continue to receive Untrusted Certificate Store updates via Windows Update, said Microsoft.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Sophos SafeGuard Enterprise

Your central key for data protection

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »