Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The issue was that Microsoft left behind the ability to sign code with a Microsoft certificate by mistake.

The entire reason the attackers could use the certificate was because Microsoft left behind that functionality in the suite of software that allows enterprise customers to license their instances of Terminal Servers.

I am not railing against cryptographic signing as a concept -- what happened was Microsoft played fast and loose with their certificate chain in order to provide their customers with a way to prove that they had paid for software.

The certificate chain could have been a lot cleaner if that licensing bit wasn't necessary.



Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: