Trust of Leaked Certificates Revoked by Microsoft
The certificates of the four digital certificates leaked last week have been revoked by Microsoft. The certificates were leaked unknowingly by D-Link, reported by Threatpost.
Last week networking gear manufacturer D-Link was in the news for the wrong reason. An embarrassing mistake by the company led to the release of private keys that can be used to sign certificates. The keys were found in D-Link’s open source firmware package.
Private keys are used to sign certificates for programs. A program that has a legitimate certificate associated with it easily makes its way past the security scanners of any organization. The mistake by D-Link could, therefore, have had serious consequences.
The news was disclosed by a Dutch tech website which reported that private keys used to sign certificates were found in D-Link’s open source firmware packages. This was confirmed by Fox-IT as well. The keys were found in the firmware that is up for downloading for D-Link’s DCS-5020L security camera. Passphrases and other information required signing the certificates was also available in the packages.
In order to make quick amends, Microsoft has said that it has updated its Certificate Trust list by removing trust for the four certificates leaked by D-Link as they could have been used to sign malicious code. Two of the certificates were issued by Symantec which belonged to D-Link and Alpha Networks. The other two were issued by GoDaddy and belonged to TRENDnet and Keebox.
Microsoft, though, said that the client versions of Windows 8, 8.1 and 10 and the Windows Server 2012, Windows Server 2012 RT, Windows RT, as well as Windows Phone 8 and 8.1 have updaters that will automatically revoke the certificates without requiring the user to do so.
Although such a feature is not available for Windows 7, Vista, Windows Server 2008 and Windows Server 2008 R2, an automatic installer is available for these. Users can either download this installer or install update 2813430.
Fox-IT researcher Yonathan Klijnsma said that the issue had resulted from a small mistake by the person who packaged the source code for publishing. Since the keys were available only in a single version of the firmware, he believes it was a simple mistake of not excluding the folder with the private keys in that particular version.
Yonathan Klijsma said:
I think this was a mistake by whoever packaged the source code for publishing. The code signing certificate was only present in one of the source code packages with a specific version. The version above and below the specific package did not contain the folder in which the code signing certificates resided. A simple mistake of folder exclusion as far as I could see.
The certificate for D-Link was published on February 27 and expired on September 3, which means it was available for around six months. Whether or not it was used to sign malware during that time is yet to be found out.
Featured image from Shutterstock.