Microsoft has revoked trust for dozens of self-issued digital certificates for its Business Productivity Online Standard cloud services.
The company released the advisory as a critical, non-security update in addition to its Patch Tuesday run, which contained nine security bulletins for 16 vulnerabilities, including the Windows XML Core Services flaw that was confirmed last month to have been exploited by attackers.
None of the unauthorised digital certificates were known to have been compromised or misused, according to Microsoft, but it advised customers to apply the update immediately, warning the certificates could be used to spoof a website.
“Upon a routine review and out of an abundance of caution, we are placing these certificates in the Untrusted Certificate Store, and replacing them with new certificate authorities that meet our high standard of public-key infrastructure (PKI) management,” said Microsoft.
In total it added 28 intermediate CA certificates for Business Productivity Online Standard suite in different regions to its Untrusted Certificate Store. A “subset” of these had code signing capabilities, Microsoft said.
The digital certificate clean out followed Microsoft’s efforts to tighten its Public Key Infrastructure practices in response to the Flame malware, which exploited the code signing feature of its Terminal Server Licensing Service to issue fraudulent certificates and spread the malware as Microsoft software.
In addition to removing trust for the unauthorised certificates, Microsoft will, in August, release an across the board update that will block certificates using cryptographic keys with less than 2048 bits, even if they are signed by a trusted authority. The update could impact websites, email, applications, and Active X controls that rely on 1024 bit cryptographic key certificates.
Microsoft today also released an automatic updater for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 that checks for a list of untrusted certificates once every 24 hours.
The feature was made available as an option under Windows Update in June, but will now be available as a non-security update, meaning it can be applied to all customers that have opted in to Automatic Updates.
Windows XP and Windows Server 2003 computers will continue to receive Untrusted Certificate Store updates via Windows Update, said Microsoft.