MICROSOFT AND MOZILLA have issued updates to completely remove all certificates signed by Diginotar from their products, including an intermediary one corresponding to PKIoverheid, a certificate authority (CA) serving the Dutch government.
Following a security breach at Diginotar that resulted in the issuing of hundreds of rogue certificates, Google, Mozilla and Microsoft took the unprecedented measure of removing the Dutch CA's root certificates from their respective products.
However, the vendors didn't blacklist Diginotar PKIoverheid, an intermediary CA that signs certificates for the Dutch government. The decision to keep its root certificates was taken because its independent certificate issuing process was not believed to have been compromised.
But following an audit the Dutch government changed its previous assessment and announced during the early hours on Saturday that PKIoverheid certificates should no longer be trusted.
Google was the first to react by issuing an update for Chrome that blacklisted the PKIoverheid CA certificates. Mozilla and Microsoft followed suit shortly thereafter with the release of Firefox 6.0.2 and Internet Explorer (IE) patch KB2607712, respectively.
In addition to removing trust for PKIoverheid CA certificates, Firefox 6.0.2 also resolves an issue with gov.uk being treated as a public suffix. This bug allowed cookies to leak from one government website to another.
Microsoft took additional steps to make sure that Diginotar rogue certificates are not abused in Internet Explorer. Normally, when IE users encounter a SSL certificate warning they can override it and continue to the resource. This is no longer the case with web sites using certificates issued by Diginotar, for which the only option is to close them.
Microsoft's decision affects hundreds of legitimate web sites in the Netherlands, including governmental ones. Organizations using certificates issued by Diginotar will need to obtain new ones from other CAs in order to avoid serious disruptions to their services.
The Redmond software giant rejected claims that rogue certificates issued for *.microsoft.com and windowsupdate.com can be leveraged to serve malicious Windows updates to users. "The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued and secured by Microsoft," said Jonathan Ness of MSRC Engineering.
However, the Iranian hacker responsible for the Diginotar breach does not agree with this assessment. He stressed, "I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update is totally false!"
"I already reversed ENTIRE windows update protocol, how it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and... Simply I can issue updates via windows update," he added.
Meanwhile, Apple has not reacted to the Diginotar CA compromise at all. According to security experts, Safari users are still vulnerable to attacks using the rogue certificates. In the absence of an official update, some developers have released their own instructions and applications to blacklist the Diginotar certificates on Mac OS X. µ