Last week it was announced that D-link had accidentally released private keys that are used to sign software, in their open source firmware packages. The keys tell devices that the software or firmware can be trusted, bypassing security measures.
The keys were found in firmware available for download from D-Link for the company’s DCS-5020L security camera; in addition to the private D-Link keys, passphrases and other information necessary to sign code were also available.
The keys were found by a researcher that happened to purchase D-Link’s DCS-5020L surveillance camera. He also happened to stumble across passphrases and other sensitive data that should not have been included. D-Link has revoked the keys and pushed out new versions of the firmware.
Microsoft, on the other hand, is just now getting around to revoking the leaked code-signing key. As of the end of the month, the key would have expired anyway, but any previously signed sites would’ve been able to drop malware on to Windows machines. Today, Microsoft announced that they had updated their Certificate Trust List to no longer include any software signed by the leaked D-link private, and revoked another three leaked keys issued by Alpha Networks, KEEBOX, and TRENDnet that also managed to get published online.
Microsoft did point out that many versions of Windows, including 8, 8,1, and 10, along with Windows Server 2012, 2012 R2, Windows RT, and Windows Phone 8 and 8.1, will automatically revoke the certificates on their own. However, if you have other versions of Windows, you’ll need to install the automatic updater, or manually install update 2813430.
“Microsoft is aware of four digital certificates that were inadvertently disclosed by D-Link Corporation that could be used in attempts to spoof content,” Microsoft said in their Advisory, “The disclosed end-entity certificates cannot be used to issue other certificates or impersonate other domains, but could be used to sign code.”
For information on how you can prevent your organization from being breached, visit www.miltonsecurity.com or call 714-515-4011.