Hello. Today we released Security Advisory 2588513, addressing an information-disclosure issue in SSL (Secure Sockets Layer) 3.0 and TLS (Transport Layer Security) 1.0 to provide guidance for customers. This is an industry-wide issue with limited impact that affects the Internet ecosystem as a whole rather than any specific platform. Our Advisory addresses the issue via the Windows operating system.

We are not aware of a way to exploit this issue in other protocols or components, and we have no reports of exploitation in the wild at this time; our investigation continues, but our research so far indicates that customers are at minimal risk. To successfully exploit this issue, the would-be attacker must meet several conditions:

• The targeted user must be in an active HTTPS session;
• The malicious code the attacker needs to decrypt the HTTPS traffic must be injected and run in the user’s browser session; and,
• The attacker’s malicious code must be treated as from the same origin as the HTTPS server in order to it to be allowed to piggyback the existing HTTPS connection.

In addition, due to the fashion in which this man-in-the-middle exploit operates, a would-be attacker would need a fairly high-bandwidth connection to the target.  Later versions of TLS (1.1 and 1.2) are not susceptible to this approach; our Security Advisory gives guidance on how to enable TLS 1.1 and 1.2 for customers who believe themselves to be at significant risk from this issue.

For further information on the nature of the issue, please see “Is SSL broken? – More about Security Advisory 2588513” on the SRD blog.

If you haven’t done so already, we suggest that you register for our security alerts (via email or RSS) on the Microsoft Technical Security Notifications page.

Thanks --
Jerry Bryant
Group Manager, Response Communications
Trustworthy Computing Group

Today, Microsoft re-released KB2616676 non-security update for customers using Microsoft Windows XP and Windows Server 2003, which addresses an issue described in the “known issues” section of KB2616676.  Customers who have enabled automatic updates are already protected and no further action is required, and others are recommended to download the cumulative version of the KB2616676 to protect themselves from the fraudulent certificates listed in Security Advisory 2607712.

Thanks,

Dave Forstrom,

Director, Trustworthy Computing

Hello,

Today we published the September Security Bulletin Webcast Questions & Answers page. We fielded 15 questions primarily regarding the Diginotar Certificate compromise and the associated Security Advisory. There was one question that we were unable to answer during the webcast due to time constraints, and we have included all questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, October 12th at 11 a.m. PDT (-8 UTC), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, October 12, 2011
Time: 11:00 a.m. PDT (UTC -8)
Register: Attendee Registration

Thanks -

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group

In an effort to protect customers, last week we released Security Advisory 2607712 along with a non-security update to add fraudulent DigiNotar certificates to the Windows Untrusted Certificate Store. Today, we are releasing another update (2616676), adding six additional DigiNotar root certificates that are cross-signed by Entrust and GTE, to the Untrusted Certificate Store. Update 2616676 supersedes 2607712 and contains the full list of certificates which are:

• DigiNotar Root CA
• DigiNotar Root CA G2
• DigiNotar PKIoverheid CA Overheid
• DigiNotar PKIoverheid CA Organisatie - G2
• DigiNotar PKIoverheid CA Overheid en Bedrijven
• DigiNotar Root CA Issued by Entrust (2 certificates)*
• DigiNotar Services 1024 CA Issued by Entrust*
• Diginotar Cyber CA Issued by GTE CyberTrust (3 certificates)*

Today, we are also releasing five Important security bulletins as part of our regular monthly release cycle to help protect customers using Microsoft Windows and Microsoft Office. As always, we encourage that customers test and deploy all security updates as soon as possible to protect their systems, but because we did not rate any of September’s updates Critical, we are not giving any a level 1 deployment priority.

In this video, Jerry Bryant discusses this month's bulletins in further detail:

Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index ratings (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Dustin Childs. We invite you to tune in and learn more about the September security bulletins, and ask any questions you might have. We’ve scheduled the webcast for Wednesday, September 14, 2011 at 11 a.m. PDT and you can register here.

You can also follow the MSRC team on Twitter at @MSFTSecResponse  for all the latest information.

Thank you,

Pete Voss
Trustworthy Computing

UPDATE: We have updated the Known Issues section of KB 2616676 to notify customers using Windows XP and Windows Server 2003 who downloaded update 2616676, that the update only contains the latest six digital certificates that are cross-signed by GTE and Entrust. These update versions do not also contain the digital certificates that were included in update 2607712. Customers who install update 2607712, and then install update 2616676, will be protected against the fraudulent certificates described in Security Advisory 2607712.

Hello everyone,

As we do each month, we're providing advanced notification on the release of five Important security bulletins, addressing 15 vulnerabilities, to help protect customers using Microsoft Windows and Office. As usual, the bulletin release is scheduled for the second Tuesday of the month, September 13, at approximately 10 a.m. PDT.

Additionally, I wanted to let you know that in order to facilitate localization, Microsoft has enhanced its URL pattern for all security bulletins. Now all TechNet pages, including security bulletins, advisories and MSVR advisories, use new URLs.

The new URL pattern for bulletins will be: http://technet.microsoft.com/security/bulletin/msyy-xxx

If available, the appropriate localized version of a page will render automatically, based on the local machine’s language settings. Microsoft has also started redirecting access to pages with the old URL pattern to the new pages with the new URL pattern.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,

Pete Voss,

Sr. Response Communications Manager

Microsoft Trustworthy Computing

UPDATE:

Microsoft inadvertently displayed draft text of September’s bulletin summary, five bulletins, and a security advisory update intended for release on Tuesday, Sept. 13.  The draft text was removed as soon as the issue was discovered.  We are not aware of any customer impact and are monitoring the issue.

For information on the bulletins to be released on Sept. 13, please see Microsoft’s Advanced Notification.

Today we’re updating Security Advisory 2607712, to announce that based on our investigation, we’ve deemed all DigiNotar certificates to be untrustworthy and have moved them to the Untrusted Certificate Store. Additionally, we have extended our support with this update so all customers using Windows XP, Windows Server 2003, and all Windows supported third-party applications are protected.

Today’s update, deployed via Automatic Update, applies to all supported releases of Microsoft Windows, and revokes the trust of the following DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store:

• ·         DigiNotar Root CA
• ·         DigiNotar Root CA G2
• ·         DigiNotar PKIoverheid CA Overheid
• ·         DigiNotar PKIoverheid CA Organisatie – G2
• ·         DigiNotar PKIoverheid CA Overheid en Bedrijven

We recognize this issue as an industry problem, and we have been actively collaborating with certificate authorities, governments, and software vendors to help protect our mutual customers. We continue to investigate this issue, and will update this blog as new information becomes available.

For more information about this issue and the actions Microsoft is taking to protect its customers, please visit Security Advisory 2607712.

Thanks,

Dave Forstrom

Director, Trustworthy Computing

This blog post was updated Sept. 5, 2011 below.

Microsoft’s investigation into the scope and impact of the DigiNotar compromise has continued over the holiday weekend. We’ve now confirmed that spoofed certificates for *.microsoft.com and *.windowsupdate.com are among those issued by the Dutch firm.

Users of Vista and later operating systems have been protected since we released Security Advisory 2607712 on August 29. In addition, customers using Windows Update on any platform are not at risk of exploitation from the windowsupdate.com certificate, since that domain is no longer in use. The Windows Update service uses multiple means of checking that the content distributed is legitimate and uncompromised. For more information on how Microsoft is protecting customers and additional actions customers may take for further protection, please see today’s SRD blog post titled “Protecting yourself from attacks leveraging fraudulent DigiNotar digital certificates."

As always, we continue to take action to ensure the safety of our customers.  We have already removed the two DigiNotar root certificates, which encompass what we believe to be the vast majority of the fraudulently issued digital certificates, from the Certificate Trust List. All fraudulent certificates that have been disclosed to Microsoft roll up to one of those two root certificates. We are also working to update Security Advisory 2607712 for customers on XP and Server 2003 and will  continue to investigate any additional issues arising from the spoofed *.microsoft.com certificate. We will provide updated information to customers as it becomes available.

Dave Forstrom
Director, Trustworthy Computing

UPDATED Sept. 5, 2011

On Aug. 29, Microsoft released Security Advisory 2607712 to remove two DigiNotar root certificates from the Certificate Trust List.  We are in the process of moving all DigiNotar owned or managed Certificate Authorities to the Untrusted Certificate Store, which will deny access to any websites using DigiNotar certificates.  Microsoft is preparing to release an update to implement these protections. 

Microsoft is offering the update to customers worldwide in order to protect them from this breach. At the explicit request of the Dutch government, Microsoft will delay deployment of this update in the Netherlands for one week to give the government time to replace certificates. Dutch customers who wish to install the update can do so by manually visiting Windows Update or following the instructions available at ww.microsoft.nl once the security update is released worldwide.

For  further updates and actions customers may take for added protection, visit: http://blogs.technet.com/b/msrc.