Microsoft’s investigation into the scope and impact of the DigiNotar compromise has continued over the holiday weekend. We’ve now confirmed that spoofed certificates for *.microsoft.com and *.windowsupdate.com are among those issued by the Dutch firm.
Users of Vista and later operating systems have been protected since we released Security Advisory 2607712 on August 29. In addition, customers using Windows Update on any platform are not at risk of exploitation from the windowsupdate.com certificate, since that domain is no longer in use. The Windows Update service uses multiple means of checking that the content distributed is legitimate and uncompromised. For more information on how Microsoft is protecting customers and additional actions customers may take for further protection, please see today’s SRD blog post titled “Protecting yourself from attacks leveraging fraudulent DigiNotar digital certificates.”
As always, we continue to take action to ensure the safety of our customers. We have already moved two DigiNotar root certificates, which encompass what we believe to be the vast majority of the fraudulently issued digital certificates, to our Untrusted Root Store. All fraudulent certificates that have been disclosed to Microsoft roll up to one of those two root certificates. We are also working to update Security Advisory 2607712 for customers on XP and Server 2003 and will continue to investigate any additional issues arising from the spoofed *.microsoft.com certificate. We will provide updated information to customers as it becomes available.
Director, Trustworthy Computing