Inadvertently Disclosed Digital Certificates Could Allow Spoofing
Published: September 24, 2015 | Updated: October 13, 2015
On September 24, 2015, Microsoft published this advisory to notify customers of four inadvertently disclosed digital certificates that could be used to spoof content and to provide an update to the Certificate Trust List (CTL) to remove user-mode trust for the certificates. As reported, the disclosed end-entity certificates cannot be used to issue other certificates or impersonate other domains, but could be used to sign code. Furthermore, the respective issuing certificate authorities have revoked the four certificates.
With the October 13, 2015 revision of this advisory, Microsoft is announcing the availability of an update for all supported releases of Windows that modifies the Code Integrity component in Windows to extend trust removal for the certificates to also preclude kernel-mode code signing.
Recommendation. Please see the Suggested Actions section of this advisory for instructions on applying the updates for specific releases of Microsoft Windows. Note that both the CTL update released on September 24, 2015 and the Windows update released on October 13, 2015 are required for affected systems to be protected from this issue.
Known Issues. Microsoft Knowledge Base Article 3097966 documents a currently known issue that customers may experience when installing the update of October 13, 2015. The article also documents a recommended solution.
For more information about this issue, see the following references:
**Note** Windows Server Technical Preview 3 is affected. Customers running this operating system are encouraged to apply the update, which is available via [Windows Update](http://go.microsoft.com/fwlink/?linkid=21130).
Windows Phone 8 and Windows Phone 8.1 devices automatically received the CTL update of September 24, 2015; however, these devices do not allow installation of third-party drivers, even if signed, so they do not require the secondary update of October 13, 2015.
The Windows 10 update is cumulative. In addition to containing non-security updates, it also contains all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with given month’s security release. The update is available via the Windows Update Catalog. See [Microsoft Knowledge Base Article 3097617](https://support.microsoft.com/en-us/kb/3097617) for more information and download links.
**Why was this advisory revised on October 13, 2015?**
The advisory was revised on October 13, 2015 to notify customers that a Windows update is available that modifies the Code Integrity component in Windows to extend trust removal for the four digital certificates to also preclude kernel-mode code signing. For more information and download links, see [Microsoft Knowledge Base Article 3097966](http://support.microsoft.com/kb/3097966). Note that both the CTL update released on September 24, 2015 and the Windows update released on October 13, 2015 are required for affected systems to be protected from the issue discussed in this advisory.
**What is the scope of the advisory?**
The purpose of this advisory is to notify customers of updates to Windows and the Certificate Trust List (CTL) to remove user-mode trust and kernel-mode code signing trust for four digital certificates and that the respective issuing certificate authorities (CAs) have revoked the certificates.
**What caused the issue?**
The issue was caused by D-Link Corporation inadvertently publishing the certificates.
**Does the CTL update address any other digital certificates?**
Yes, in addition to addressing the certificates described in this advisory, the CTL update originally released on September 24, 2015 is cumulative and includes digital certificates described in previous advisories:
- [Microsoft Security Advisory 3050995](http://technet.microsoft.com/security/advisory/3050995)
- [Microsoft Security Advisory 3046310](http://technet.microsoft.com/security/advisory/3046310)
- [Microsoft Security Advisory 2982792](http://technet.microsoft.com/security/advisory/2982792)
- [Microsoft Security Advisory 2916652](http://technet.microsoft.com/security/advisory/2916652)
- [Microsoft Security Advisory 2798897](http://technet.microsoft.com/security/advisory/2798897)
- [Microsoft Security Advisory 2728973](http://technet.microsoft.com/security/advisory/2728973)
- [Microsoft Security Advisory 2718704](http://technet.microsoft.com/security/advisory/2718704)
- [Microsoft Security Advisory 2641690](http://technet.microsoft.com/security/advisory/2641690)
- [Microsoft Security Advisory 2607712](http://technet.microsoft.com/security/advisory/2607712)
- [Microsoft Security Advisory 2524375](http://technet.microsoft.com/security/advisory/2524375)
**What is cryptography?**
Cryptography is the science of securing information by converting it between its normal, readable state (called plaintext) and one in which the data is obscured (known as ciphertext).
In all forms of cryptography, a value known as a key is used in conjunction with a procedure called a crypto algorithm to transform plaintext data into ciphertext. In the most familiar type of cryptography, secret-key cryptography, the ciphertext is transformed back into plaintext using the same key. However, in a second type of cryptography, public-key cryptography, a different key is used to transform the ciphertext back into plaintext.
**What is a digital certificate?**
In [public-key cryptography](http://msdn.microsoft.com/en-us/library/92f9ye3s.aspx), one of the keys, known as the private key, must be kept secret. The other key, known as the public key, is intended to be shared with the world. However, there must be a way for the owner of the key to tell the world who the key belongs to. Digital certificates provide a way to do this. A digital certificate is a tamperproof piece of data that packages a public key together with information about it (who owns it, what it can be used for, when it expires, and so forth).
**What are certificates used for?**
Certificates are used primarily to verify the identity of a person or device, authenticate a service, or encrypt files. Normally you won’t have to think about certificates at all. You might, however, see a message telling you that a certificate is expired or invalid. In those cases, you should follow the instructions in the message.
**What is a certification authority (CA)?**
Certification authorities are the organizations that issue certificates. They establish and verify the authenticity of public keys that belong to people or other certification authorities, and they verify the identity of a person or organization that asks for a certificate.
**What is a Certificate Trust List (CTL)?**
A trust must exist between the recipient of a signed message and the signer of the message. One method of establishing this trust is through a certificate, an electronic document verifying that entities or persons are who they claim to be. A certificate is issued to an entity by a third party that is trusted by both of the other parties. So, each recipient of a signed message decides if the issuer of the signer's certificate is trustworthy. CryptoAPI has implemented a methodology to allow application developers to create applications that automatically verify certificates against a predefined list of trusted certificates or roots. This list of trusted entities (called subjects) is called a certificate trust list (CTL). For more information, please see the MSDN article, [Certificate Trust Verification](http://msdn.microsoft.com/library/aa376546).
**What might an attacker do with these certificates?**
An attacker could use the certificates to fraudulently sign code.
**What is Microsoft doing to help resolve this issue?**
Although this issue does not result from an issue in any Microsoft product, we are nevertheless updating the CTL and providing a Windows update to help protect customers. Microsoft will continue to investigate this issue and may make future changes to the CTL or release a future update to help protect customers.
**After applying the CTL update, how can I verify that the certificate is in the Microsoft Untrusted Certificates Store?**
For Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems that are using the automatic updater of revoked certificates (see [Microsoft Knowledge Base Article 2677070](http://support.microsoft.com/kb/2677070) for details), and for Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows 10 systems, you can check the Application log in the Event Viewer for an entry with the following values:
- Source: CAPI2
- Level: Information
- Event ID: 4112
- Description: Successful auto update of disallowed certificate list with effective date: Wednesday, September 23, 2015 (or later).
For systems not using the automatic updater of revoked certificates, in the **Certificates MMC snap-in**, verify that the following certificate has been added to the **Untrusted Certificates** folder:
3e b4 4e 5f fe 6d c7 2d ed 70 3e 99 90 27 22 db 38 ff d1 cb
73 11 e7 7e c4 00 10 9d 6a 53 26 d8 f6 69 62 04 fd 59 aa 3b
db 50 42 ed 25 6f f4 26 86 7b 33 28 87 ec ce 2d 95 e7 96 14
**Note** For information on how to view certificates with the MMC Snap-in, see the MSDN article, [How to: View Certificates with the MMC Snap-in](http://msdn.microsoft.com/en-us/library/ms788967.aspx).
- **Apply the 3097966 update released on October 13, 2015**
The majority of customers have automatic updating enabled and will not need to take any action because the 3097966 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see [Microsoft Knowledge Base Article 3097966](https://support.microsoft.com/kb/3097966).
For administrators and enterprise installations, or end users who want to install the 3097966 update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the [Microsoft Update](http://go.microsoft.com/fwlink/?linkid=40747) service. For more information on how to manually apply the update, see [Microsoft Knowledge Base Article 3097966](https://support.microsoft.com/kb/3097966).
- **Apply the CTL update released on September 24, 2015 (if not already applied)**
An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, and Windows 10 and for devices running Windows Phone 8 and Windows Phone 8.1. For these operating systems or devices, customers do not need to take any action, because the CTL will be updated automatically.
For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see [Microsoft Knowledge Base Article 2677070](http://support.microsoft.com/kb/2677070) for details), customers do not need to take any action, because these systems will be automatically protected.
For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that do not have the automatic updater of revoked certificates installed, this update is not available. To receive this update customers must install the automatic updater of revoked certificates (see [Microsoft Knowledge Base Article 2677070](https://support.microsoft.com/kb/2677070) for details). Customers in disconnected environments who are running Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 can install update 2813430 to receive this update (see [Microsoft Knowledge Base Article 2813430](https://support.microsoft.com/kb/2813430) for details).
### Additional Suggested Actions
- **Protect your PC**
We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see [Microsoft Safety & Security Center](http://www.microsoft.com/security/default.aspx).
- **Keep Microsoft Software Updated**
Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit [Microsoft Update](http://go.microsoft.com/fwlink/?linkid=40747), scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.
Security Update Deployment
For Security Update Deployment information, see the [Microsoft Knowledge Base Article 3097966](http://support.microsoft.com/kb/3097966).
- You can provide feedback by completing the Microsoft Help and Support form, [Customer Service Contact Us](http://support.microsoft.com/kb/?scid=sw;en;1257&showpage=1&ws=technet&sd=tech).
- Customers in the United States and Canada can receive technical support from [Security Support](http://go.microsoft.com/fwlink/?linkid=21131). For more information, see [Microsoft Help and Support](http://support.microsoft.com/).
- International customers can receive support from their local Microsoft subsidiaries. For more information, see [International Support](http://go.microsoft.com/fwlink/?linkid=21155).
- [Microsoft TechNet Security](http://go.microsoft.com/fwlink/?linkid=21132) provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (September 24, 2015): Advisory published.
- V2.0 (October 13, 2015): Advisory revised to notify customers that an update is available that modifies the Code Integrity component in Windows to extend trust removal for the four digital certificates addressed by this advisory to also preclude kernel-mode code signing.
*Page generated 2015-11-16 08:35-08:00.*