Microsoft blunder creates new DigiNotar threat

Microsoft has released an update for its Windows XP and Windows Server 2003 products, after accidentally re-approving stolen certificates from beleaguered Dutch certificate authority DigiNotar.

When news of the attack against DigiNotar, which saw the authority used to issue wildcard certificates for domains including Google.com in an apparent attack against Iranian dissidents, broke, Microsoft - along with other browser and operating system manufacturers - rushed to issue patches that removed the implicit trust previously enjoyed by the certificate authority.

A patch by Microsoft removed the trust, as expected, for five DigiNotar root certificates but a later patch issued to add six more certificates - cross-signed by GTE and Entrust - failed to include the originally banned certificates.

As a result, users relying on the update mechanism built into Windows XP and Windows Server 2003 were left vulnerable to attacks using the original DigiNotar certificates for a period of around a week.

"The versions [...] for Windows XP and for Windows Server 2003 contained only the latest six digital certificates cross-signed by GTE and Entrust," Microsoft admitted in an announcement regarding the newly-issued patch. "These versions of the update did not contain the digital certificates that were included [previously.]"

The latest update, live on the Windows Update service now, includes the accidentally-removed DigiNotar certificates along with the six co-signed certificates added by the second patch, and is a recommended upgrade for all Windows XP and Windows Server 2003 users. Those on newer versions of Microsoft's operating system, including Windows Vista and Windows 7, were not affected by the flawed update and can continue as normal.

With the individual claiming to be behind the DigiNotar attack believed to have infiltrated several other trusted certificate authorities, Microsoft is going to have to be a bit more careful about its future security updates.