—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung des Microsoft Product Security
Notification Service. Wir geben diese Informationen unveraendert an Sie
weiter.

2607712 – Kompromittierte SSL-Zertifikate

Durch einen Einbruch bei der Certificate Authority DigiNotar wurden
diverse kompromittierte Zertifikate ausgestellt, u.a. ein
Wildcard-Zertifikat fuer *.google.com. Dies ermoeglicht einem entfernten
Angreifer einen eigenen Server unter der Adresse der kompromittierten
Zertifikate zu betreiben und einen Nutzer beispielsweise mittels
DNS-Manipulation auf diesen Server umzuleiten. So koennen Verbindungen
komplett abgehoert und manipuliert werden (Man-in-the-Middle-Angriff).
Es wurden bereits aktiv Man-in-the-Middle-Angriffe mit den betreffenden
Zertifikaten durchgefuehrt. Als Abhilfe wird die DigiNotar Wurzel-CA von
der Liste der vertrauenswuerdigen Wurzel-CAs entfernt.

Betroffen sind die folgenden Software Pakete und Plattformen:

Microsoft Internet Explorer

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 mit SP2 fuer Itanium-basierte Systeme
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 fuer 32-bit Systeme Service Pack 2
Windows Server 2008 fuer x64-basierte Systeme Service Pack 2
Windows Server 2008 fuer Itanium-basierte Systeme Service Pack 2
Windows 7 fuer 32-bit Systeme
Windows 7 fuer 32-bit Systeme Service Pack 1
Windows 7 fuer x64-basierte Systeme
Windows 7 fuer x64-basierte Systeme Service Pack 1
Windows Server 2008 R2 fuer x64-basierte Systeme
Windows Server 2008 R2 fuer x64-basierte Systeme Service Pack 1
Windows Server 2008 R2 fuer Itanium-basierte Systeme
Windows Server 2008 R2 fuer Itanium-basierte Systeme Service Pack 1
Windows Server 2008 R2
Windows Phone 7

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Detlev O. Matthies

– —

Detlev O. Matthies, M.Sc. (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn

Microsoft Security Advisory (2607712)
Fraudulent Digital Certificates Could Allow Spoofing
Published: August 29, 2011 | Updated: August 29, 2011

Version: 2.0
General Information
Executive Summary

Microsoft is aware of at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store, on all supported releases of Microsoft Windows. Although this is not a vulnerability in a Microsoft product, Microsoft is taking action to protect customers.

Microsoft has been able to confirm that one digital certificate affects all subdomains of google.com and may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. Microsoft is continuing to investigate how many more certificates have been fraudulently issued. As a precautionary measure, Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List.

All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certification authority. Users of these operating systems will be presented with an invalid certificate error when they browse to a Web site or try to install programs signed by the DigiNotar root certificate. In those cases users should follow the instructions in the message. Microsoft will release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003.

Microsoft is continuing to investigate this issue and may release future updates to help protect customers.
Top of sectionTop of section
Advisory Details
Affected Software and Devices

This advisory discusses the following software and devices.
Affected Software

Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2*

Windows Server 2008 for x64-based Systems Service Pack 2*

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*

Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

*Server Core installation affected. This advisory applies to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.
Non-Affected Devices

Windows Phone 7
Top of sectionTop of section

Frequently Asked Questions

Suggested Actions
Other Information
Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
Top of sectionTop of section
Feedback
â?¢

You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
Top of sectionTop of section
Support
â?¢

Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
â?¢

International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
â?¢

Microsoft TechNet Security provides additional information about security in Microsoft products.
Top of sectionTop of section
Disclaimer

The information provided in this advisory is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Top of sectionTop of section
Revisions
â?¢

V1.0 (August 29, 2011): Advisory published.
â?¢

V2.0 (August 29, 2011): Revised to correct erroneous advisory number.

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.16 (GNU/Linux)

iQEcBAEBAgAGBQJOZIr7AAoJEJtyb8U7iGZBuyQIAIQLDm4ZTXPqvaICz4KD4rmX
zTLqQSlMyRiG3T4gPZuM5ypMcrjSnPtde+6tumPQv3ujVdQNAs8Hnf3FuGbxPhDQ
KB5J7K8oT4oIHxbugjVr0dGw29DITEXbJhWltbgEVfunKY1+pbWJaKjwd7xTkfzB
B0qvG6YLXtkgUDaPE5dSPtQfgi3IkLqgV7hzH38aqWnAdYa+3TOzlJ0OZLGANr2n
o5lEsIFB6qnUmh6Ev5gdpTvUqxUl7mlNkrSFuZ38YcA1AqfvxECXh97d9tc7iUPM
VsGXhmdiMynn/OAIsewrfFFPgbUJDFqoSNQrwQZEOJ0Du+ebMDocggOEGl4aYcc=
=t4xH
—–END PGP SIGNATURE—–