-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2494
     Inadvertently Disclosed Digital Certificates Could Allow Spoofing
                             25 September 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Windows
                   Microsoft Windows Phone
Publisher:         Microsoft
Operating System:  Windows
                   Mobile Device
Impact/Access:     Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://technet.microsoft.com/en-us/library/security/3097966

Comment: Microsoft is aware of four digital certificates that were 
         inadvertently disclosed by D-Link Corporation that could be used in
         attempts to spoof content.

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Advisory 3097966

Inadvertently Disclosed Digital Certificates Could Allow Spoofing

Published: September 24, 2015

Version: 1.0

Executive Summary

Microsoft is aware of four digital certificates that were inadvertently 
disclosed by D-Link Corporation that could be used in attempts to spoof 
content. The disclosed end-entity certificates cannot be used to issue other 
certificates or impersonate other domains, but could be used to sign code. 
This issue affects all supported releases of Microsoft Windows.

To help protect customers from potentially fraudulent use of the certificates,
Microsoft has modified the Certificate Trust List (CTL) to remove trust for 
the four certificates. Furthermore, the respective issuing certificate 
authorities have revoked the certificates. For more information, see the 
Frequently Asked Questions section of this advisory.

Affected Software

Operating System

Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows 8 for 32-bit Systems

Windows 8 for x64-based Systems

Windows Server 2012

Windows RT

Windows 8.1 for 32-bit Systems

Windows 8.1 for x64-based Systems

Windows Server 2012 R2

Windows RT 8.1

Windows 10 for 32-bit Systems

Windows 10 for x64-based Systems

Server Core installation option

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core 
installation)

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core 
installation)

Windows Server 2008 R2 for x64-based Systems (Server Core installation)

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2 (Server Core installation)

Affected Devices

Windows Phone 8

Windows Phone 8.1

Note Windows Server Technical Preview 3 is affected. Customers running this 
operating system are encouraged to apply the update, which is available via 
Windows Update.

Advisory FAQ

What is the scope of the advisory? The purpose of this advisory is to notify
customers that Microsoft has modified the Certificate Trust List (CTL) to 
remove trust for four digital certificates and that the respective issuing 
certificate authorities (CAs) have revoked the certificates.

What caused the issue? The issue was caused by D-Link Corporation 
inadvertently publishing the certificates.

Does this update address any other digital certificates? Yes, in addition to 
addressing the certificates described in this advisory, this update is 
cumulative and includes digital certificates described in previous advisories:

Microsoft Security Advisory 3050995 
Microsoft Security Advisory 3046310 
Microsoft Security Advisory 2982792 
Microsoft Security Advisory 2916652 
Microsoft Security Advisory 2798897 
Microsoft Security Advisory 2728973 
Microsoft Security Advisory 2718704 
Microsoft Security Advisory 2641690 
Microsoft Security Advisory 2607712
Microsoft Security Advisory 2524375

What is cryptography?

Cryptography is the science of securing information by converting it between 
its normal, readable state (called plaintext) and one in which the data is 
obscured (known as ciphertext).

In all forms of cryptography, a value known as a key is used in conjunction 
with a procedure called a crypto algorithm to transform plaintext data into 
ciphertext. In the most familiar type of cryptography, secret-key 
cryptography, the ciphertext is transformed back into plaintext using the same
key. However, in a second type of cryptography, public-key cryptography, a 
different key is used to transform the ciphertext back into plaintext.

What is a digital certificate?

In public-key cryptography, one of the keys, known as the private key, must be
kept secret. The other key, known as the public key, is intended to be shared
with the world. However, there must be a way for the owner of the key to tell
the world who the key belongs to. Digital certificates provide a way to do 
this. A digital certificate is a tamperproof piece of data that packages a 
public key together with information about it (who owns it, what it can be 
used for, when it expires, and so forth).

What are certificates used for?

Certificates are used primarily to verify the identity of a person or device,
authenticate a service, or encrypt files. Normally you wont have to think 
about certificates at all. You might, however, see a message telling you that
a certificate is expired or invalid. In those cases you should follow the 
instructions in the message.

What is a certification authority (CA)?

Certification authorities are the organizations that issue certificates. They
establish and verify the authenticity of public keys that belong to people or
other certification authorities, and they verify the identity of a person or 
organization that asks for a certificate.

What is a Certificate Trust List (CTL)?

A trust must exist between the recipient of a signed message and the signer of
the message. One method of establishing this trust is through a certificate, 
an electronic document verifying that entities or persons are who they claim 
to be. A certificate is issued to an entity by a third party that is trusted 
by both of the other parties. So, each recipient of a signed message decides 
if the issuer of the signer's certificate is trustworthy. CryptoAPI has 
implemented a methodology to allow application developers to create 
applications that automatically verify certificates against a predefined list
of trusted certificates or roots. This list of trusted entities (called 
subjects) is called a certificate trust list (CTL). For more information, 
please see the MSDN article, Certificate Trust Verification.

What might an attacker do with these certificates?

An attacker could use the certificates to fraudulently sign code.

What is Microsoft doing to help with resolving this issue?

Although this issue does not result from an issue in any Microsoft product, we
are nevertheless updating the CTL and providing an update to help protect 
customers. Microsoft will continue to investigate this issue and may make 
future changes to the CTL or release a future update to help protect 
customers.

After applying the update, how can I verify that the certificate is in the 
Microsoft Untrusted Certificates Store? For Windows Vista, Windows 7, Windows
Server 2008, and Windows Server 2008 R2 systems that are using the automatic 
updater of revoked certificates (see Microsoft Knowledge Base Article 2677070
for details), and for Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, 
Windows Server 2012, Windows Server 2012 R2, and Windows 10 systems, you can 
check the Application log in the Event Viewer for an entry with the following
values:

    Source: CAPI2

    Level: Information

    Event ID: 4112

    Description: Successful auto update of disallowed certificate list with 
effective date: Thursday, September 24, 2015 (or later).

For systems not using the automatic updater of revoked certificates, in the 
Certificates MMC snap-in, verify that the following certificate has been added
to the Untrusted Certificates folder:

Certificate 		Issued by 		Thumbprint

DLINK CORPORATION 	Symantec Corporation 	3e b4 4e 5f fe 6d c7 2d ed 70 3e 99 90 27 22 db 38 ff d1 cb

Alpha Networks 		Symantec Corporation 	73 11 e7 7e c4 00 10 9d 6a 53 26 d8 f6 69 62 04 fd 59 aa 3b

KEEBOX GoDaddy.com, 	LLC 			91 5a 47 8d b9 39 92 5d a8 d9 ae a1 2d 8b ba 14 0d 26 59 9c

TRENDnet GoDaddy.com, 	LLC 			db 50 42 ed 25 6f f4 26 86 7b 33 28 87 ec ce 2d 95  e7 96 14

Note For information on how to view certificates with the MMC Snap-in, see the
MSDN article, How to: View Certificates with the MMC Snap-in.

Suggested Actions

Apply the update for supported releases of Microsoft Windows

An automatic updater of revoked certificates is included in supported editions
of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows RT 8.1, 
Windows Server 2012 R2, and Windows 10 and for devices running Windows Phone 8
and Windows Phone 8.1. For these operating systems or devices, customers do 
not need to take any action, because the CTL will be updated automatically.

For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows
Server 2008 R2 that are using the automatic updater of revoked certificates 
(see Microsoft Knowledge Base Article 2677070 for details), customers do not 
need to take any action, because these systems will be automatically 
protected.

For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows
Server 2008 R2 that do not have the automatic updater of revoked certificates
installed, this update is not available. To receive this update customers must
install the automatic updater of revoked certificates (see Microsoft Knowledge
Base Article 2677070 for details). Customers in disconnected environments who
are running Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows
Server 2008 R2, or Windows Server 2012 can install update 2813430 to receive 
this update (see Microsoft Knowledge Base Article 2813430 for details).

Additional Suggested Actions

Protect your PC

We continue to encourage customers to follow our Protect Your Computer 
guidance of enabling a firewall, getting software updates and installing 
antivirus software. For more information, see Microsoft Safety & Security 
Center. Keep Microsoft Software Updated

Users running Microsoft software should apply the latest Microsoft 
security updates to help make sure that their computers are as protected as 
possible. If you are not sure whether your software is up to date, visit 
Microsoft Update, scan your computer for available updates, and install any 
high-priority updates that are offered to you. If you have automatic updating
enabled and configured to provide updates for Microsoft products, the updates
are delivered to you when they are released, but you should verify that they 
are installed.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVgSt336ZAP0PgtI9AQKHyBAApTPoN6cEkUXBoaYGvSmeGi9gW+SzAsH+
b982f/vsxTfUzTqVZM4+kDQbrPvjEGYJt8DZfkV7uXEzAIAfIifQ8X9281eFR5yD
GqnLDkIo/QUlEWZEY4TNTLL4ompiySx3kgQn4q4YCyjUOEe22zdQP6JqR9tk+rkt
bDqhuhBijhllx94QgMp/ZMK4VubuzImnMr+bxb9A46PZseHB9b65+PJoxb4R3wIB
qx+aQ9tLFbaRrMvKsa4vuHgaZzSfBAKRhoU8qqmpQT39OMRGpn8Zo3TdAPTAPpw7
vSiQAUvJvobVYQcGkrzOUKrRv5s3tSWOtz6PhlkAuOk/BSeNji8WuOWuQpjO9O+w
GGpdVXTbERdb9Fz6Xie8iDfjLeUXEDz7eCSpaFOsEJqaxhMWWyfgFOXeVxaks+UN
D+OhERO/elV2GZ+m21vT6BgWK2n2jGPzeHuPiOj2RZVTtLRnNxr4dBfYddbU3KTx
Nl7H/Iw7wUQxmw9lrSUzburOoEDRePBYBUoWjr4VWRtvtg7W50lHS9IptIFZdhE7
kQUryUBuQ0PHtjiQwtb2NDSzjBW3SmQgG+cjqcSL4Hpl62DPO0CgJokYb2SDGCyQ
hQ2MEHeSXQUMVHk27zOcBjgA8T+doQdnS5lDygfmMfUI34Dv3d8NLkkapSgjPU64
xQSGWGgpdu8=
=feHN
-----END PGP SIGNATURE-----