Microsoft has published Security Advisory 3119884 Inadvertently Disclosed Digital Certificates Could Allow Spoofing. This advisory addresses the Dell root-CA-certificate desaster.
I’ve blogged about one of the two Dell incidents at Dell’s Superfish 2: Devices shipped with cloneable Root certificate. Dell has issued two self signed root CA certificates for Windows, where private keys are disclosed.
Microsoft is aware of unconstrained digital certificates from Dell Inc. for which the private keys were inadvertently disclosed. One of these unconstrained certificates could be used to issue other certificates, impersonate other domains, or sign code. In addition, these certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Dell customers. This issue affects all supported releases of Microsoft Windows.
Although Microsoft is not currently aware of attacks related to this issue, to protect customers from potentially fraudulent use of these unconstrained digital certificates, the certificates have been deemed no longer valid by Dell Inc. Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of these certificates. For more information about these certificates, see Inadvertently Disclosed Digital Certificates Could Allow Spoofing.