Microsoft Security Advisory (961509)

[Peaches]

Microsoft Security Advisory (961509)

Research proves feasibility of collision attacks against MD5

Published: December 30, 2008

Microsoft is aware that research was published at a security conference proving a successful attack against X.509 digital certificates signed using the MD5 hashing algorithm. This attack method could allow an attacker to generate additional digital certificates with different content that have the same digital signature as an original certificate. The MD5 algorithm had previously shown a vulnerability, but a practical attack had not yet been demonstrated.

This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information. Microsoft is not aware of any active attacks using this issue and is actively working with certificate authorities to ensure they are aware of this new research and is encouraging them to migrate to the newer SHA-1 signing algorithm.

While this issue is not a vulnerability in a Microsoft product, Microsoft is actively monitoring the situation and has worked with affected Certificate Authorities to keep customers informed and to provide customer guidance as necessary.

Mitigating Factors:

• Microsoft is not aware of specific attacks against MD5, so previously issued certificates that were signed using MD5 are not affected and do not need to be revoked. This issue only affects certificates being signed using MD5 after the publication of the attack method.

• Most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. Customers should contact their issuing Certificate Authority for guidance.

• When visited, Web sites that use Extended Validation (EV) certificates show a green address bar in most modern browsers. These certificates are always signed using SHA-1 and as such are not affected by this newly reported research.

General Information

Overview

Purpose of Advisory: To assist customers in assessing the impact of this research announcement on their current certificate deployments.

Advisory Status: Issue Confirmed. No Security Update Planned.

Recommendation: Review the suggested actions and configure as appropriate.

References Identification

Microsoft Knowledge Base Article

961509

http://www.microsoft.com/technet/security/...ory/961509.mspx

[Peaches]

MD5 Hack Is Not a Threat, Microsoft Says

Gregg Keizer, Computerworld

Tuesday, December 30, 2008 1:35 PM PST

In reaction to the news today that security researchers have come up with a way to spoof the digital certificates that secure many Web sites, Microsoft Corp. downplayed the threat to users.

In a security advisory, Microsoft acknowledged the disclosure earlier in the day of an exploit of long-known bugs in the MD5 hashing algorithm used to create the digital certificates that in turn provide proof of a secure connection between users and Web sites. But the software vendor minimized the danger that users could face.

"This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information," said Microsoft. The company added that it wasn't aware of any actual attacks using the techniques described by an international team of researchers from Germany, the Netherlands, Switzerland and the U.S.

more here: http://www.pcworld.com/businesscenter/arti...osoft_says.html

>>>>>>>>>>>>>>>>>>>>>>>