Microsoft Windows Includes Some Invalid Certificates
|
|
SecurityTracker Alert ID: 1027114 |
|
SecurityTracker URL: http://securitytracker.com/id/1027114
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Jun 4 2012
|
Original Entry Date: Jun 4 2012
|
Impact:
Modification of authentication information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): XP SP3, 2003 SP2, Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1; and prior service packs
|
Description:
A vulnerability was reported in Microsoft Windows. A remote user may be able to spoof code signing signatures.
The operating system includes some invalid intermediate certificates. The invalid certificates and their thumbprints are:
Microsoft Enforced Licensing Intermediate PCA: 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70
Microsoft Enforced Licensing Intermediate PCA: 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08
Microsoft Enforced Licensing Registration Authority CA (SHA1): fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97
The vulnerability is due to the certificate authorities and not the operating system itself.
Unauthorized digital certificates derived from these certificate authorities are being actively used in attacks.
Windows Mobile 6.x and Windows Phone 7 and 7.5 are also affected.
|
Impact:
A remote user may be able to spoof code signing signatures.
|
Solution:
The vendor has issued a fix (KB2718704), available via automatic update.
The vendor's advisory is available at:
http://technet.microsoft.com/en-us/security/advisory/2718704
|
Vendor URL: technet.microsoft.com/en-us/security/advisory/2718704 (Links to External Site)
|
Cause:
Configuration error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 04 Jun 2012 03:05:27 +0000
Subject: Microsoft OS
|
http://technet.microsoft.com/en-us/security/advisory/2718704
Microsoft Security Advisory (2718704)
Unauthorized Digital Certificates Could Allow Spoofing
|
|
