updated 01:00 pm EDT, Wed September 7, 2011
Microsoft addresses fake DigiNotar certificates
Microsoft has responded to the recently unveiled hack that saw DigiNotar issue fake security certificates for some high-profiles websites by issuing a patch on Tuesday. The patch only applies to affected versions of Windows Vista and is delivered through Internet Explorer. After the vulnerability was discovered on August 28, Microsoft released a security advisory on August 29 and removed the DigitNotar root certificate from the Microsoft Certificate Trust List.
That initial update showed a warning to users who accessed a site signed by an untrusted DigiNotar root certificate. They could still click on through, however. Now, the software giant took its precautions a step further and won't allow any access to websites that use fake DigiNotar certificates.
Meanwhile, another European Certificate Authority, the UK's GlobalSign, warned that their certificates may also have been faked, as the individual responsible for the fake Comodo certificates claimed he had access four other high-profile Certificate Authorities. GlobalSign on Tuesday said it would temporarily cease issuing certificates until its own investigation is complete.
The fake certificates can be used to phish for victim's information if the attacker has access to local networks, operates the network infrastructure between the victim and a site he or she is trying to access, or hijacks the DNS server used by ISPs. [via WinRumors]