Microsoft releases certificate spoof fix for Windows XP, Server 2003

Microsoft releases certificate spoof fix for Windows XP, Server 2003

Summary: The company initially released protection against improper certificates issued by the French government certificate authority without support for XP and Server 2003, but have now come through.

SHARE:
TOPICS: Security, Microsoft
5

On Monday of this week Microsoft annouced measures take to respond to the creation of an improper intermediate certificate authority (CA) by the CA for the government of France, and the use of that intermediate CA to sign fake certificates for domains in the google.com and other domains for which they had no authority.

Initially, Microsoft released countermeasures to protect users against any potential effects of these certificates —although none have been reported and the problem seems to have been contained — but they only released that protection for devices running supported editions of Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Phone 8 — not for Windows XP or Windows Server 2003. All support for Windows XP will end after Patch Tuesday this coming April, 2014. Support for Windows Server 2003 will extend into 2015.

Tonight, Microsoft released separate certificate protection for Windows XP and Windows Server 2003 users. The protection may be installed from Microsoft Update or downloaded from the Microsoft Download Center.

In their advisory on the issue Microsoft thanks Google's Adam Langley and the Google Chrome Security Team for bringing the incident to their attention and working with them on the response.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Why were Windows XP and Windows Server 2003 excluded?

    Perhaps Microsoft does not consider this a security issue?
    ye
    • This is what I think

      The initial fixes were based on a facility, the Certificate Trust list (CTL), which doesn't work in XP/2003. I don't know why, but it could easily be that there are base APIs it needs which don't exist in XP/2003. They had to hack a specific fix for XP/2003 for this problem and it took a few days.
      larry@...
      • Thanks for the explanation Larry.

        Appreciate the articles.
        ye
    • Why XP?

      The main "Security Issue" is Windows XP

      You could not block ALL the hackers with XP, but you could block the Gov't unless you were using SP3 or Security Essentials which made backdoors around your firewall

      If they can get you off of XP, then you "might" be able to block the "Other" bad guys but not the Gov't

      Look, a carrot on a stick
      Lets follow that!
      OutOfBoxExperience
  • XP and Windows 2004 users would be safe by using Firefox

    See my comments at:
    http://www.zdnet.com/microsoft-responds-to-googles-spoofed-ssl-certificates-7000024097/

    AFAIK this CA vulnerability won't apply to Firefox because Mozilla opted to solve the real problem: improper use of CA powers. Microsoft and Google leave their users vulnerable to each incident because they don't followed Mozilla Foundation lead. :-(

    So, if you have to work with Windows XP, use only Firefox.
    fernando@...