A vulnerability was reported in Microsoft Windows. A remote user may be able to spoof code signing signatures.
Version(s): XP SP3, 2003 SP2, Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1; and prior service packs
The operating system includes some invalid intermediate certificates. The vulnerability is due to the certificate authorities and not the operating system itself.
The invalid certificates and their thumbprints are:
Microsoft Enforced Licensing Intermediate PCA: 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70
Microsoft Enforced Licensing Intermediate PCA: 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08
Microsoft Enforced Licensing Registration Authority CA (SHA1): fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97
Unauthorized digital certificates derived from these certificate authorities are being actively used in attacks.
Modification of authentication information
The vendor has issued a fix (KB2718704), available via automatic update.