Venafi: Microsoft's Recent Certificate Issue Common To Global 2000

By Ken Presti
June 14, 2012 5:00 PM ET

Page 1 of 2

Channel partners have their work cut out for them when it comes to reviewing their customers' security certificates in order to avoid the same type of breach that impacted Microsoft updates.

That's according to Jeff Hudson, CEO of Venafi, a Salt Lake City, Utah-based provider of enterprise key and certificate management solutions, who points to MD5 certificates as a key point of vulnerability to the Global 2000.

“Three of the certificates used in Windows licensing and updates were broken by a hacker, who exploited the fact that those certificates use an MD5 hash,” he said. “MD5 has been known since 2005 to be breakable. The hackers then created a remanufactured certificate and inserted themselves in the middle, in order to use the compromised certificates that open the door for the malware, in this case Flame, to get installed.”

On Sunday, June 3, Microsoft issued a statement indicating that the vulnerability had been closed. The MD5 certificates had been removed, thereby eliminating that particular breach. But, Hudson says there are a substantial number of MD5 certificates still in use throughout the business community. This means the threat is still very real, and it is now compounded by the fact that a wider number of hackers are now acutely aware of the MD5 vulnerability.

"These MD5 certificates live on almost every single network in the Global 2000," he said. "We've surveyed over 450 organizations, and 17.4 percent of the certificates in the global 2000 sample are MD5. So the open door that the hackers used to co-opt the Microsoft programs, those are on corporate networks today. In fact, the number might actually be a lot higher than that."

Certificates support a wide variety of devices, including Web servers, load balancers, routers, printers, cell phones, etc. "So the MD5 certificates are very much at risk," he said. "It's not just Flame that is a threat. It could be anything. Now, every hacker in the world understands that MD5 is vulnerable. So, all they need to do is find MD5 certificates, break them, and then they have the keys to the kingdom.”

NEXT: Advice to Partners

1 | 2 | Next >>

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	Name Of The Game: Top 10 States For Identity Theft A Federal Trade Commission report provides statistics on identity theft and fraud complaints in 2012. Learn which state has the dubious distinction of having the most victims.
	More Slide Shows