Last week, Microsoft released Security Advisory 2607712, notifying customers that fraudulent digital certificates had been issued by certificate authority DigiNotar.   Earlier this week, the Microsoft Security Research & Defense Blog (srd blog) posted further guidance explaining more about the potential risks and actions you can take to protect yourself from any potential attacks that would leverage those fraudulent certificates.

The srd blog post provides details risk and actions in five areas

• Scope of the risk – Understand the conditions or scenario that would have to take place for an attack to succeed.  For example, without “man-in-the-middle” access, an attacker would be unlikely to be successful in carrying out an attack.
• Vulnerable configurations – Different platforms have different risks.  Windows Phone devices are unaffected, for example, and Windows 7 and Windows Server 2008 can get an updated Certificate Trust List on Windows Update.  In contrast, Windows XP uses a different mechanism and need different steps for protection.
• What Microsoft is doing to protect you – Action has already been taken for Windows 7 and Windows Server 2008 as described above and an update will be available soon for Windows XP and Windows Server 2003 to add DigiNotar to the Untrusted Certificate Store.
• What you can do to protect yourself – Remove the DigiNotar Root from the trusted root store and clear the cache to remove any older data.  Read the full srd blog post for detailed steps.
• Additional protections built-in to Windows Update - The Windows Update client will only install binary payloads signed by the actual Microsoft root CA certificate, which is issued and secured by Microsoft.

This is just the executive summary, read the full srd blog post for more details on each of these area.

~Jeff (@securityjones)