Today we’re releasing Security Advisory 2607712, to address at least one fraudulent digital certificate issued by DigiNotar, a root certificate authority. DigiNotar has since revoked the digital certificate. This is not a Microsoft security vulnerability; however, the certificate potentially affects Internet users attempting to access websites belonging to Google. A fraudulent certificate may be used to spoof Web content, perform phishing attacks or perform man-in-the-middle attacks against end users.

We continue to work with the certificate authority to understand the scope of this issue, and have taken steps to further help protect customers by removing the DigiNotar root certificate from the list of trusted root certificates on Windows. Web sites with certificates issued by DigiNotar will no longer be trusted by Windows Vista and above. This protection is automatic and no customer action is required.

Click here for more information about the Windows Root Certificate Program and automatic updates. Customers should continue to utilize Internet Explorer’s Security Status bar located on the right side of the address bar to verify that the site being visited is valid and secure.

If you have not done so already, we highly recommend registering for our comprehensive security alerts. Sign up here: Microsoft Technical Security Notifications.

Thanks,

Dave Forstrom

Director, Trustworthy Computing