The recent security announcement from Microsoft acknowledging that an errant code-signing certificate is in the wild (www.microsoft.com) is a clear call to action for those of us charged with the design, deployment and operation of solid information security infrastructure. The question of the moment is, "Exactly what should that action be?". . .
The recent security announcement from Microsoft acknowledging that an errant code-signing certificate is in the wild (www.microsoft.com) is a clear call to action for those of us charged with the design, deployment and operation of solid information security infrastructure. The question of the moment is, "Exactly what should that action be?"

The first response from many will be to wait for the promised security update from Microsoft that will 'revoke' the errant certificate as representing Microsoft. At that time, software will be distributed inside of companies with well-managed information security programs and systems will be updated. The update will affect any system that is running a Microsoft operating system and using a Microsoft browser. If we consider the immense effort that will be required to accomplish the upcoming update on millions of systems, we can expect this incident to cost hundreds of millions of dollars before all is said and done. And after the time is wasted and the money is spent, we will still collectively 'hold our breath' while we wait to see what will happen to the remaining home systems and unmanaged computers that will never be updated.

The link for this article located at SC Magazine is no longer available.