JMH
Emeritus, Contributor
- Apr 2, 2012
- 7,197
A cryptographic certificate Microsoft generated three weeks ago to authenticate the servers used to deliver updates to hundreds of millions of Windows users has received a failing grade from a widely used automated analysis tool. While the SSL Labs report card is prompting plenty of discussion in security circles, it's too early to conclude the credentials certifying the legitimacy of update.microsoft.com aren't safe, one of the engineers who designed the grading service said.
Microsoft generated the certificate on May 30, around the same time it learned that the Flame espionage malware hijacked the Windows Update process so it could spread from PC to PC inside a targeted network. It was later revealed that the hijacking technique required world-class mathematicians and scientists to execute a cryptographic collision attack in the underlying MD5 hashing algorithm. The precise variant had never been seen before in the research community.
http://arstechnica.com/security/2012/06/microsoft-windows-update-ssl-certificate-gets-failing-grade/