Public Safety Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links | Liens de navigation communs

Skip Navigational Links Home > National security > Cyber Security: A Shared Responsibility > Cyber Security Publications > Analytical releases 2012 > AV12-032: Microsoft Security Advisory (2728973)

Institutional links

Microsoft Security Advisory (2728973)

Number: AV12-032
Date: 13 July 2012

Purpose

The purpose of this advisory is to bring attention to a Microsoft Security Advisory and subsequent update patch addressing the revocation of a number of Microsoft digital certificates that are outside Microsoft's recommended secure storage practices.

Assessment

Microsoft has released the following advisory: Unauthorized Digital Certificates Could Allow Spoofing (2728973).

The advisory states that there are Microsoft certificate authorities outside their recommended security storage practices. Microsoft will be placing these certificates in the Untrusted Certificate Store and replacing them with new certificate authorities that meet their high standard of public key infrastructure (PKI) management.

This issue affects all supported releases of Microsoft Windows.

The Microsoft update places the following intermediate CA certificates in the Untrusted Certificate Store:

  • Microsoft Genuine Windows Phone Public Preview CA01
  • Microsoft IPTVe CA
  • Microsoft Online CA001
  • Microsoft Online Svcs BPOS APAC CA1
  • Microsoft Online Svcs BPOS APAC CA2
  • Microsoft Online Svcs BPOS APAC CA3
  • Microsoft Online Svcs BPOS APAC CA4
  • Microsoft Online Svcs BPOS APAC CA5
  • Microsoft Online Svcs BPOS APAC CA6
  • Microsoft Online Svcs BPOS CA1
  • Microsoft Online Svcs BPOS CA2
  • Microsoft Online Svcs BPOS CA2 (2 certificates)
  • Microsoft Online Svcs BPOS EMEA CA1
  • Microsoft Online Svcs BPOS EMEA CA2
  • Microsoft Online Svcs BPOS EMEA CA3
  • Microsoft Online Svcs BPOS EMEA CA4
  • Microsoft Online Svcs BPOS EMEA CA5
  • Microsoft Online Svcs BPOS EMEA CA6
  • Microsoft Online Svcs CA1 (2 certificates)
  • Microsoft Online Svcs CA3 (2 certificates)
  • Microsoft Online Svcs CA4 (2 certificates)
  • Microsoft Online Svcs CA5 (2 certificates)
  • Microsoft Online Svcs CA6

Affected Software and Devices:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

References:

http://technet.microsoft.com/en-us/security/advisory/2728973
http://support.microsoft.com/kb/2728973
http://blogs.technet.com/b/srd/archive/2012/07/10/microsoft-s-continuing-work-on-digital-certificates.aspx

Suggested action

CCIRC recommends that system administrators test and deploy the vendor-released update to affected applications accordingly.

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) operates within Public Safety Canada, and works with partners inside and outside Canada to mitigate cyber threats to vital networks outside the federal government. These include systems that keep Canada's critical infrastructure functioning properly, such as the electrical grid and financial networks, or contain valuable commercial information that underpins our economic prosperity. CCIRC supports the owners and operators of systems of national importance, including critical infrastructure, and is responsible for coordinating the national response to any serious cyber security incident.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca

Date Modified: 2012-07-13
Top of Page
Top of Page
Important Notices
Host: WWWDMZ01