Microsoft Security Advisory (2718704)

Why was this advisory revised June 13, 2012? 
Microsoft revised this advisory to notify customers that after further investigation, Microsoft has determined that Windows Mobile 6.x, Windows Phone 7, and Windows Phone 7.5 devices are not affected by the issue.

What is the scope of the advisory? 
The purpose of this advisory is to notify customers that Microsoft has confirmed two unauthorized certificates have been issued by Microsoft and are being used in active attacks. During our investigation, a third Certificate Authority has been found to have issued certificates with weak ciphers.

Microsoft has issued an update for all supported releases of Microsoft Windows that addresses the issue.

Does this update address any other unauthorized digital certificates? 
Yes, in addition to addressing the three unauthorized certificates described in this advisory, this update is cumulative and addresses unauthorized digital certificates described in previous advisories: Microsoft Security Advisory 2524375, Microsoft Security Advisory 2607712, and Microsoft Security Advisory 2641690.

Is Windows 8 Consumer Preview affected by the issue addressed in this advisory?  
Yes. The update is available for the Windows 8 Consumer Preview release. Customers with Windows 8 Consumer Preview are encouraged to apply the updates to their systems. The updates are only available on Windows Update.

Is Windows 8 Release Preview affected by the issue addressed in this advisory? 
Yes. The update is available for the Windows 8 Release Preview release. Customers with Windows 8 Release Preview are encouraged to apply the updates to their systems. The updates are only available on Windows Update.

What is cryptography?
Cryptography is the science of securing information by converting it between its normal, readable state (called plaintext) and one in which the data is obscured (known as ciphertext).

In all forms of cryptography, a value known as a key is used in conjunction with a procedure called a crypto algorithm to transform plaintext data into ciphertext. In the most familiar type of cryptography, secret-key cryptography, the ciphertext is transformed back into plaintext using the same key. However, in a second type of cryptography, public-key cryptography, a different key is used to transform the ciphertext back into plaintext.

What is a digital certificate?
In public-key cryptography, one of the keys, known as the private key, must be kept secret. The other key, known as the public key, is intended to be shared with the world. However, there must be a way for the owner of the key to tell the world who the key belongs to. Digital certificates provide a way to do this. A digital certificate is a tamperproof piece of data that packages a public key together with information about it - who owns it, what it can be used for, when it expires, and so forth.

What are certificates used for?
Certificates are used primarily to verify the identity of a person or device, authenticate a service, or encrypt files. Normally you won’t have to think about certificates at all. You might, however, see a message telling you that a certificate is expired or invalid. In those cases you should follow the instructions in the message.

What is a certification authority (CA)?
Certification authorities are the organizations that issue certificates. They establish and verify the authenticity of public keys that belong to people or other certification authorities, and they verify the identity of a person or organization that asks for a certificate.

What is a Certificate Trust List (CTL)?
A trust must exist between the recipient of a signed message and the signer of the message. One method of establishing this trust is through a certificate, an electronic document verifying that entities or persons are who they claim to be. A certificate is issued to an entity by a third party that is trusted by both of the other parties. So, each recipient of a signed message decides if the issuer of the signer's certificate is trustworthy. CryptoAPI has implemented a methodology to allow application developers to create applications that automatically verify certificates against a predefined list of trusted certificates or roots. This list of trusted entities (called subjects) is called a certificate trust list (CTL). For more information, please see the MSDN article, Certificate Trust Verification.

What caused the issue?
Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. A unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

What might an attacker use the issue to do? 
An attacker could use these certificates to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

What is a man-in-the-middle attack?
A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker’s computer without the knowledge of the two communicating users. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user.

What is Microsoft doing to help with resolving this issue?
We have updated the Untrusted Certificate Store to remove the trust in the affected Microsoft certification authorities.

After applying the update, how can I verify the certificates in the Microsoft Untrusted Certificates Store? 
For information on how to view certificates, see the MSDN article, How to: View Certificates with the MMC Snap-in.

In the Certificates MMC snap-in, verify that the following certificates have been added to the Untrusted Certificates folder:

For supported releases of Microsoft Windows

The majority of customers have automatic updating enabled and will not need to take any action because the KB2718704 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install the KB2718704 update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2718704.