Skip to main content

Microsoft Windows Includes Some Invalid Certificates Vulnerability

Last Update Date: 5 Jun 2012 12:03 Release Date: 5 Jun 2012 4837 Views

RISK: High Risk

TYPE: Operating Systems - Windows OS

TYPE: Windows OS

A vulnerability was identified in Microsoft Windows. A remote user may be able to spoof code signing signatures.

The operating system includes some invalid intermediate certificates. The invalid certificates and their thumbprints are:

Microsoft Enforced Licensing Intermediate PCA: 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70

Microsoft Enforced Licensing Intermediate PCA: 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08

Microsoft Enforced Licensing Registration Authority CA (SHA1): fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97

The vulnerability is due to the certificate authorities and not the operating system itself.

Unauthorized digital certificates derived from these certificate authorities are being actively used in attacks.


Impact

  • Spoofing

System / Technologies affected

  • Windows XP
  • Windows 7
  • Windows Vista
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Mobile 6.x
  • Windows Phone 7 and 7.5

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • The vendor has issued a fix (KB2718704), available via automatic update.

Vulnerability Identifier

  • No CVE information is available

Source


Related Link