You are here

T-724: Microsoft Security Advisory: Fraudulent digital certificates could allow spoofing

September 22, 2011 - 12:45pm



Microsoft Security Advisory: Fraudulent digital certificates could allow spoofing.


Microsoft Untrusted Certificate Store: DigiNotar root certificates


Microsoft has released a Microsoft security advisory about this issue for IT professionals.

referenceĀ  LINKS:

MS Article ID: 2616676
Microsoft Security Advisory: 2607712
DOE-CIRC Tech Bulletin: T-706




The Microsoft update revokes the trust of the following DigiNotar root certificates by putting them in the Microsoft Untrusted Certificate Store:

DigiNotar Root CA
DigiNotar Root CA G2
DigiNotar PKIoverheid CA Overheid
DigiNotar PKIoverheid CA Organisatie - G2
DigiNotar PKIoverheid CA Overheid en Bedrijven
DigiNotar Root CA Issued by Entrust (2 certificates)
DigiNotar Services 1024 CA Issued by Entrust
DigiNotar Cyber CA Issued by GTE CyberTrust (3 certificates)


September 19, 2011, the versions of update 2616676 for Windows XP and for Windows Server 2003 contained only the latest six digital certificates cross-signed by GTE and Entrust. These versions of the update did not contain the digital certificates that were included in update 2607712 or 2524375. Update 2616676 also incorrectly proceeded update 2607712. Therefore, before September 19, 2011 if you installed updated 2616676 and had not already installed update 2607712 or update 2524375, your system would not have been protected from the use of fraudulent digital certificates as described in security advisory 2607712.
Microsoft Support


Microsoft have finished the investigation into an issue with update 2616676 for all Windows XP-based and Windows Server 2003-based systems.
September 19, 2011, we rereleased update 2616676 to address this issue. If you are running Windows XP or Windows Server 2003 and you have not applied updates 2524375, 2607712, and 2616676, you should install cumulative update 2616676.
Microsoft Downloads

Some Windows Server 2003 customers may also notice that two SHA2 certificates are missing. The fingerprints of these certificates are as follows:

These certificates are missing because, by default, Windows Server 2003 does not support SHA2 certificates.