Microsoft said Sunday that a digital certificate stolen from a Dutch company could not be used to force-feed customers malware through its Windows Update service.
The company's assertion came after a massive theft of more than 500 SSL certificates, including several that could be used to impersonate Microsoft's update services, was revealed by Dutch authorities and several other affected developers.
[ Also on InfoWorld: Nearly 300,000 Iranian IP addresses likely compromised. | Get all the details you need on deploying and using Windows 7 in the InfoWorld editors' 21-page Windows 7 Deep Dive PDF special report. | Stay abreast of key Microsoft technologies in our Technology: Microsoft newsletter. ]
"Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers," said Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), in a Sunday blog post. "The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued and secured by Microsoft."
Seven of the 531 certificates now known to have been fraudulently obtained by hackers in July were for the domains update.microsoft.com and windowsupdate.com, while another six were for *.microsoft.com.
According to Microsoft, the certificates issued for windowsupdate.com couldn't be used by attackers because the company no longer uses that domain. (Windows Update is now at windowsupdate.microsoft.com.) However, those for update.microsoft.com -- the domain for Microsoft Update -- and the wildcard *.microsoft.com could be.
As Ness said, updates delivered via Microsoft's services are signed with a separate certificate that's closely held by the company.
Without that code-signing certificate, attempts to deliver malware disguised as an update to a Windows PC would fail.
Other vendors, including Apple, also sign software updates with a separate certificate.
The certificates for the various Microsoft domains were issued by DigiNotar, a Dutch company that last week admitted its network had been hacked in mid-July.
The company initially believed it had revoked all the fraudulent certificates, but later realized it had overlooked one that could be used to impersonate any Google service, including Gmail. DigiNotar went public only after users reported their findings to Google.
Criminals or governments could use the stolen certificates to conduct "man in the middle" attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly intercepted.
Microsoft has added its voice to the chorus from rival browser makers, notably Google and Mozilla, about the seriousness of the situation. Like its competitors, Microsoft will also permanently block all DigiNotar certificates.
"We are in the process of moving all DigiNotar owned or managed [certificate authorities] to the Untrusted Root Store, which will deny access to any website using DigiNotar certificates," said Dave Forstrom, a director in the Microsoft Trustworthy Computing group, in an emailed statement Sunday.