Fraudulent DigiNotar SSL Certificate

US-CERT is aware of public reports of the existence of fraudulent SSL certificates issued by DigiNotar. These fraudulent SSL certificates could be used by an attacker to masquerade as legitimate sites.

Mozilla has released Firefox 3.6.22 and Firefox 6.0.2 to address this issue. Additional information can be found in the Mozilla Security Blog.

Microsoft has removed the DigiNotar root certificates from the Microsoft Certificate Trust List. This change affects all versions of Windows Vista, Windows 7, Windows XP, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2003. Additional information can be found in Microsoft Security Advisory 2607712.

Google Chrome users are protected from this attack due to Chrome’s built-in certificate pinning feature. Google has also released Chrome 13.0.782.220 for Windows, Mac, Linux, and Chrome Frame to address this issue. Additional information can be found in the Google Security Blog and in the Google Chrome Releases blog entry.

Apple has released Security Update 2011-005 for Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion 10.7.1, and Lion Server 10.7.1 to address this issue. Additional information can be found in Apple article HT4920.

Adobe will be releasing an update to remove the DigiNotar certificate from the Adobe Approved Trust List. In the meantime, Adobe has released a blog entry containing a work-around for Adobe Reader and Acrobat 9, and Adobe Reader and Acrobat X.

US-CERT encourages users and administrators to apply any necessary updates to help mitigate the risks. US-CERT will provide additional information as it becomes available.