As part of its “Patch Tuesday” updates this month, Microsoft changed how Windows manages certificates.
These changes include a new automatic updater tool for Windows 7 and Windows Vista that will flag stolen or known forged certificates. This shift will have a big impact on companies and software vendors who use Microsoft’s implementation of public key infrastructure as part of their authentication and software distribution, especially if they haven’t followed best practices for certificates in the past.
Flame Keeps Security Wags on Alert
Talk to Me: Stuxnet, Flame a Global Alert
Stuxnet Warfare: The Gloves are Off
Flame: ‘20 Times Larger than Stuxnet’
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents
The changes come on the heels of revelations about the Flame malware, which used a rogue certificate authority that masqueraded as Microsoft in order to hijack the Windows Update mechanism. On June 8, Microsoft made changes to its Update service to prevent such attacks in the future. The changes announced June 11 go even further, moving to blunt the use of malware writers and attackers from using stolen or forged certificates of any kind.
The new certificate update tool will rely on a “Disallowed Certificate Trust List” maintained by Microsoft, according to a post on the Microsoft Security Response Center blog by Microsoft Trustworthy Computing spokesperson Angela Gunn. The tool will check the list daily, moving certificates found on the list to an “untrusted” store. In the past, moving certificates to untrusted status required manually updating them.
Microsoft also gave advance warning of an update to how Windows manages certificates that will blanket invalidate certificates that don’t have adequate security. Certificates with RSA encryption keys of less than 1024 bits will automatically be invalid. “Once this key length update is released, we will treat all of these certificates as invalid, even if they are currently valid and signed by a trusted certificate authority,” Gunn said.