Security Advisory

Microsoft Security Advisory 2728973

Unauthorized Digital Certificates Could Allow Spoofing

Published: July 10, 2012 | Updated: September 05, 2012

Version: 1.2

General Information

Executive Summary

Microsoft is aware of Microsoft certificate authorities that are outside our recommended secure storage practices. Upon a routine review, we are placing these certificates in the Untrusted Certificate Store, and replacing them with new certificate authorities that meet our high standard of public-key infrastructure (PKI) management. We are unaware of any misuse of the certificate authorities, but are taking pre-emptive action to protect customers. This issue affects all supported releases of Microsoft Windows.

Microsoft is providing an update for all supported releases of Microsoft Windows. The update places the following intermediate CA certificates in the Untrusted Certificate Store:

  • Microsoft Genuine Windows Phone Public Preview CA01
  • Microsoft IPTVe CA
  • Microsoft Online CA001
  • Microsoft Online Svcs BPOS APAC CA1
  • Microsoft Online Svcs BPOS APAC CA2
  • Microsoft Online Svcs BPOS APAC CA3
  • CN=Microsoft Online Svcs BPOS APAC CA4
  • Microsoft Online Svcs BPOS APAC CA5
  • Microsoft Online Svcs BPOS APAC CA6
  • Microsoft Online Svcs BPOS CA1
  • Microsoft Online Svcs BPOS CA2
  • Microsoft Online Svcs BPOS CA2 (2 certificates)
  • Microsoft Online Svcs BPOS EMEA CA1
  • Microsoft Online Svcs BPOS EMEA CA2
  • Microsoft Online Svcs BPOS EMEA CA3
  • Microsoft Online Svcs BPOS EMEA CA4
  • Microsoft Online Svcs BPOS EMEA CA5
  • Microsoft Online Svcs BPOS EMEA CA6
  • Microsoft Online Svcs CA1 (2 certificates)
  • Microsoft Online Svcs CA3 (2 certificates)
  • Microsoft Online Svcs CA4 (2 certificates)
  • Microsoft Online Svcs CA5 (2 certificates)
  • Microsoft Online Svcs CA6

Recommendation. For supported releases of Microsoft Windows, Microsoft recommends that customers apply the update immediately. For more information, see the Suggested Actions section of this advisory.

Known Issues. Microsoft Knowledge Base Article 2728973 documents the currently known issues that customers may experience when installing this update.

Advisory Details

Issue References

For more information about this issue, see the following references:

References Identification
Microsoft Knowledge Base Article 2728973 

Affected Software and Devices

This advisory discusses the following affected software and devices.

Affected Software
Operating System
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

 

Non-Affected Devices
Windows Mobile 6.x
Windows Phone 7
Windows Phone 7.5

Frequently Asked Questions

What is the scope of the advisory?
The purpose of this advisory is to notify customers that Microsoft is aware of Microsoft certificate authorities that are outside our recommended secure storage practices. Upon a routine review and out of an abundance of caution, we are placing these certificates in the Untrusted Certificate Store, and replacing them with new certificate authorities that meet our high standard of public-key infrastructure (PKI) management. We are unaware of any misuse of the certificate authorities, but are taking pre-emptive action to protect customers. This issue affects all supported releases of Microsoft Windows.

Microsoft has issued an update for all supported releases of Microsoft Windows that addresses the issue.

Does this update address any other unauthorized digital certificates?
Yes, in addition to addressing the twenty-eight unauthorized certificates described in this advisory, this update is cumulative and addresses unauthorized digital certificates described in previous advisories: Microsoft Security Advisory 2524375, Microsoft Security Advisory 2607712, Microsoft Security Advisory 2641690, and Microsoft Security Advisory 2718704.

Note that although this update addresses certificates described in previous advisories, this update does not contain all the functionality introduced in previous advisories. For more information, see known issues in Microsoft Knowledge Base Article 2728973.

Is Windows 8 Release Preview or Windows Server 2012 Release Candidate affected by the issue addressed in this advisory?
Yes. The update is available for Windows 8 Release Preview and Windows Server 2012 Release Candidate. Customers with Windows 8 Release Preview and Windows Server 2012 Release Candidate are encouraged to apply the updates to their systems. For information on how to apply the update for Windows 8 Release Preview and Windows Server 2012 Release Preview, see the Suggested Actions section of this advisory.

What is cryptography?
Cryptography is the science of securing information by converting it between its normal, readable state (called plaintext) and one in which the data is obscured (known as ciphertext).

In all forms of cryptography, a value known as a key is used in conjunction with a procedure called a crypto algorithm to transform plaintext data into ciphertext. In the most familiar type of cryptography, secret-key cryptography, the ciphertext is transformed back into plaintext using the same key. However, in a second type of cryptography, public-key cryptography, a different key is used to transform the ciphertext back into plaintext.

What is a digital certificate?
In public-key cryptography, one of the keys, known as the private key, must be kept secret. The other key, known as the public key, is intended to be shared with the world. However, there must be a way for the owner of the key to tell the world who the key belongs to. Digital certificates provide a way to do this. A digital certificate is a tamperproof piece of data that packages a public key together with information about it - who owns it, what it can be used for, when it expires, and so forth.

What are certificates used for?
Certificates are used primarily to verify the identity of a person or device, authenticate a service, or encrypt files. Normally you won’t have to think about certificates at all. You might, however, see a message telling you that a certificate is expired or invalid. In those cases you should follow the instructions in the message.

What is a certification authority (CA)? Certification authorities are the organizations that issue certificates. They establish and verify the authenticity of public keys that belong to people or other certification authorities, and they verify the identity of a person or organization that asks for a certificate.

What is a Certificate Trust List (CTL)? A trust must exist between the recipient of a signed message and the signer of the message. One method of establishing this trust is through a certificate, an electronic document verifying that entities or persons are who they claim to be. A certificate is issued to an entity by a third party that is trusted by both of the other parties. So, each recipient of a signed message decides if the issuer of the signer's certificate is trustworthy. CryptoAPI has implemented a methodology to allow application developers to create applications that automatically verify certificates against a predefined list of trusted certificates or roots. This list of trusted entities (called subjects) is called a certificate trust list (CTL). For more information, please see the MSDN article, Certificate Trust Verification.

What caused the issue?
Microsoft is aware of Microsoft certificate authorities that are outside our recommended secure storage practices. We are unaware of any misuse of the certificate authorities, but are taking pre-emptive action to protect customers.

What might an attacker use the issue to do?
An attacker could use these certificates to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

What is a man-in-the-middle attack?
A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker’s computer without the knowledge of the two communicating users. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user.

What is Microsoft doing to help with resolving this issue?
We have placed the affected Microsoft certification authorities in the Untrusted Certificate Store and replaced them with new certificate authorities that meet our high standard of public-key infrastructure (PKI) management.

After applying the update, how can I verify the certificates in the Microsoft Untrusted Certificates Store?
For systems using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), including Windows 8 Release Preview and Windows Server 2012 Release Candidate, you can check the Application log in the Event Viewer for an entry with the following values:

  • Source: CAPI2
  • Level: Information
  • Event ID: 4112
  • Description: Successful auto update of disallowed certificate list with effective date: Thursday, June 21, 2012 (or later).

For systems not using the automatic updater of revoked certificates, in the Certificates MMC snap-in, verify that the following certificates have been added to the Untrusted Certificates folder:

Certificate Issued by Thumbprint
Microsoft Genuine Windows Phone Public Preview CA01 Microsoft Windows Phone PCA e3 8a 2b 76 63 b8 67 96 43 6d 8d f5 89 8d 9f aa 68 35 b2 38
Microsoft IPTVe CA Microsoft Home Entertainment PCA be d4 12 b1 33 4d 7d fc eb a3 01 5e 5f 9f 90 5d 57 1c 45 cf
Microsoft Online CA001 Microsoft Services PCA a1 50 5d 98 43 c8 26 dd 67 ed 4e a5 20 98 04 bd bb 0d f5 02
Microsoft Online Svcs BPOS APAC CA1 Microsoft Services PCA d4 31 53 c8 c2 5f 00 41 28 79 87 25 0f 1e 3c ab ac 8c 21 77
Microsoft Online Svcs BPOS APAC CA2 Microsoft Services PCA d8 ce 8d 07 f9 f1 9d 25 69 c2 fb 85 44 01 bc 99 c1 eb 7c 3b
Microsoft Online Svcs BPOS APAC CA3 Microsoft Services PCA e9 5d d8 6f 32 c7 71 f0 34 17 43 eb d7 5e c3 3c 74 a3 de d9
CN=Microsoft Online Svcs BPOS APAC CA4 Microsoft Services PCA 3a 26 01 21 71 85 5d 40 20 c9 73 be c3 f4 f9 da 45 bd 2b 83
Microsoft Online Svcs BPOS APAC CA5 Microsoft Services PCA d0 bb 3e 3d fb fb 86 c0 ee e2 a0 47 e3 28 60 9e 6e 1f 18 5e
Microsoft Online Svcs BPOS APAC CA6 Microsoft Services PCA 08 73 8a 96 a4 85 3a 52 ac ef 23 f7 82 e8 e1 fe a7 bc ed 02
Microsoft Online Svcs BPOS CA1 Microsoft Services PCA 76 13 bf 0b a2 61 00 6c ac 3e d2 dd be f3 43 42 53 57 f1 8b
Microsoft Online Svcs BPOS CA2 Microsoft Services PCA 58 7b 59 fb 52 d8 a6 83 cb e1 ca 00 e6 39 3d 7b b9 23 bc 92
Microsoft Online Svcs BPOS CA2 Microsoft Services PCA 4e d8 aa 06 d1 bc 72 ca 64 c4 7b 1d fe 05 ac c8 d5 1f c7 6f
Microsoft Online Svcs BPOS CA2 Microsoft Services PCA f5 a8 74 f3 98 7e b0 a9 96 1a 56 4b 66 9a 90 50 f7 70 30 8a
Microsoft Online Svcs BPOS EMEA CA1 Microsoft Services PCA a3 5a 8c 72 7e 88 bc ca 40 a3 f9 67 9c e8 ca 00 c2 67 89 fd
Microsoft Online Svcs BPOS EMEA CA2 Microsoft Services PCA e9 80 9e 02 3b 45 12 aa 4d 4d 53 f4 05 69 c3 13 c1 d0 29 4d
Microsoft Online Svcs BPOS EMEA CA3 Microsoft Services PCA a7 b5 53 1d dc 87 12 9e 2c 3b b1 47 67 95 3d 67 45 fb 14 a6
Microsoft Online Svcs BPOS EMEA CA4 Microsoft Services PCA 33 0d 8d 3f d3 25 a0 e5 fd dd a2 70 13 a2 e7 5e 71 30 16 5f
Microsoft Online Svcs BPOS EMEA CA5 Microsoft Services PCA 09 27 1d d6 21 eb d3 91 0c 2e a1 d0 59 f9 9b 81 81 40 5a 17
Microsoft Online Svcs BPOS EMEA CA6 Microsoft Services PCA 83 8f fd 50 9d e8 68 f4 81 c2 98 19 99 2e 38 a4 f7 08 28 73
Microsoft Online Svcs CA1 Microsoft Services PCA 23 ef 33 84 e2 1f 70 f0 34 c4 67 d4 cb a6 eb 61 42 9f 17 4e
Microsoft Online Svcs CA1 Microsoft Services PCA a2 21 d3 60 30 9b 5c 3c 40 97 c4 4c c7 79 ac c5 a9 84 5b 66
Microsoft Online Svcs CA3 Microsoft Services PCA 89 77 e8 56 9d 2a 63 3a f0 1d 03 94 85 16 81 ce 12 26 83 a6
Microsoft Online Svcs CA3 Microsoft Services PCA 37 4d 5b 92 5b 0b d8 34 94 e6 56 eb 80 87 12 72 75 db 83 ce
Microsoft Online Svcs CA4 Microsoft Services PCA 66 90 c0 2b 92 2c bd 3f f0 d0 a5 99 4d bd 33 65 92 88 7e 3f
Microsoft Online Svcs CA4 Microsoft Services PCA 5d 51 85 df 1e b7 dc 76 01 54 22 ec 81 38 a5 72 4b ee 28 86
Microsoft Online Svcs CA5 Microsoft Services PCA a8 17 06 d3 1e 6f 5c 79 1c d9 d3 b1 b9 c6 34 64 95 4b a4 f5
Microsoft Online Svcs CA5 Microsoft Services PCA 4d f1 39 47 49 3c ff 69 cd e5 54 88 1c 5f 11 4e 97 c3 d0 3b
Microsoft Online Svcs CA6 Microsoft Services PCA 09 ff 2c c8 6c ee fa 8a 8b b3 f2 e3 e8 4d 6d a3 fa bb f6 3e

Note For information on how to view certificates with the MMC Snap-in, see the MSDN article, How to: View Certificates with the MMC Snap-in.

Suggested Actions

For supported editions of Windows XP and Windows Server 2003

The majority of customers have automatic updating enabled and will not need to take any action because the KB2728973 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install the KB2728973 update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2728973.

For supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Release Preview, and Windows Server 2012 Release Preview

The majority of customers have automatic updating enabled and will not need to take any action because an automatic updater of revoked certificates will address the issue by automatically adding the certificates to the Untrusted Certificate Store.

The automatic updater of revoked certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 through the Microsoft Update service and is described in Microsoft Knowledge Base Article 2677070. The automatic updater of untrusted certificates is included in Windows 8 Release Preview and Windows Server 2012 Release Candidate.

For end users who do not have the automatic updater of revoked certificates (2677070) or for systems that are not connected to the Internet, Microsoft recommends that customers manually apply the KB2728973 update immediately. For more information on how to manually apply the update manually, see Microsoft Knowledge Base Article 2728973.

For administrators and enterprise installations, Microsoft recommends that customers apply the update immediately using update management software. For more information about the update, see Microsoft Knowledge Base Article 2728973.

Additional Suggested Actions

  • Protect your PC

    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.

    For more information about staying safe on the Internet, visit Microsoft Security Central.

  • Keep Microsoft Software Updated

    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

Support

  • Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
  • International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
  • Microsoft TechNet Security provides additional information about security in Microsoft products.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (July 10, 2012): Advisory published.
  • V1.1 (July 11, 2012): Corrected the disallowed certificate list effective date to "Thursday, June 21, 2012 (or later)" in the FAQ entry, "After applying the update, how can I verify the certificates in the Microsoft Untrusted Certificates Store?"
  • V1.2 (September 5, 2012): Corrected the common name for the "CN=Microsoft Online Svcs BPOS APAC CA4" certificate issued by Microsoft Services PCA.

Built at 2014-04-18T13:49:36Z-07:00