This article is more than 1 year old
Microsoft puts a bullet in blundering D-Link's leaked key that made malware VIPs on PCs
Private code-signing cert revoked at last
Microsoft has finally revoked D-Link's leaked code-signing key, which gave malware the red carpet treatment on millions of Windows PCs.
Last week, it emerged that, for six months between February and September, D-Link exposed its private code-signing key to the world in a firmware download. Anyone who stumbled upon this key could use it to dress up malware as a legit-looking D-Link application, tricking Windows and users into trusting it.
The key expired at the start of this month, meaning it cannot be used to digitally sign new malware. But any software nasties signed using the key earlier in the year would still be trusted and run by Windows PCs.
On Thursday, Microsoft confirmed it has updated its Certificate Trust List to no longer accept any software signed using D-Link's leaked private key – plus three other keys that the clumsy networking hardware maker also accidentally spilled onto the internet.
"Microsoft is aware of four digital certificates that were inadvertently disclosed by D-Link Corporation that could be used in attempts to spoof content," the Redmond giant noted today.
"The disclosed end-entity certificates cannot be used to issue other certificates or impersonate other domains, but could be used to sign code. This issue affects all supported releases of Microsoft Windows."
The four aforementioned certificates were issued to D-Link, Alpha Networks, KEEBOX, and TRENDnet.
Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 10, and devices running Windows Phone 8 and Windows Phone 8.1, will automatically apply the update to the Certificate Trust List – so users of these computers and gadgets need not do anything, and their computers will not trust any malware signed by the leaked keys.
People with installations of Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2, that are configured to automatically act on certificate revocations also need to do nothing.
For everyone else, you must install Microsoft's automatic updater of revoked certificates to make sure your PC isn't hoodwinked by any software nasties that were digitally signed by the spilled keys. ®