Last week, multiple browser vendors issued updates in response to the exploit of the DigiNotar SSL certificate authority (CA) .
As it turns out, those updates didn’t go far enough as the exploit of DigiNotar is worse than initial reports indicated. Mozilla has issued Firefox 6.0.2 as their second patch to help protected their browser users against the risk of fraudulent DigiNotar SSL certificates.
“The main change is to add explicit distrust to the DigiNotar root certificate and several intermediates,” Mozilla stated in its advisory. “Removing the root as in our previous fix meant the certificates could be considered valid if cross-signed by another Certificate Authority.”
Microsoft has similarly moved to distrust the DigiNotar CA with a patch update made available late Tuesday.
“Microsoft is providing an update for all supported releases of Microsoft Windows that revokes the trust of the following DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store,” Microsoft warned in its updated advisory.
The new browser updates come as the alleged hacker behind the DigiNotar exploit boasted that more certificate authorities were at risk. The alleged attacker also claims to be the same person behind the Comodo CA attack in March of this year.
“You know, I have access to 4 more so HIGH profile CAs, which I can issue certs from them too which I will,” the alleged attacker going by the alias ‘Comodohacker’ wrote in a warning that has been shared on pastebin.
One of the CAs, named by Comodohacker as being one of the high profile certificate authorities that are at risk is GlobalSign. It’s a risk that GlobalSign is taking very seriously.
“As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete,” GlobalSign wrote in a statement.
GlobaSign has engaged with Dutch security firm Fox-IT to conduct its investigation. Fox-IT was also contracted by DigiNotar and this week released a scathing report, Operation Black Tulip, detailing DigiNotar’s insecurity.
“The successful hack implies that the current network setup and / or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack,” the Fox-IT report stated. “All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. “
Fox-IT went on to note that the password was not very strong and could easily be brute-forced. To add further insult to injury their investigation found that the software installed on the public Web servers was outdated and not patched.