Microsoft Defender Removes Legitimate DigiCert Certificates Following False Positive
AI-generated from multiple sources. Verify before acting on this reporting.
Microsoft Defender antivirus software mistakenly identified legitimate root certificates issued by DigiCert as malware on Saturday, disrupting services globally after a security breach exposed initialization codes for code-signing certificates.
The incident began when Microsoft Defender's signature update incorrectly flagged certificates linked to the compromised DigiCert incident as malicious. The software subsequently removed the certificates from trust stores on affected systems, causing authentication failures for applications relying on the credentials. The error impacted users worldwide, affecting enterprise environments and individual consumers who depend on DigiCert for secure communications and software validation.
DigiCert confirmed that initialization codes for code-signing certificates were exposed in a security breach. The company stated that the exposed codes allowed threat actors to potentially generate fraudulent certificates. Microsoft responded by updating its Defender signatures to block certificates associated with the compromised keys. However, the update was overly broad, capturing legitimate certificates that had not been compromised.
The Advanced Persistent Threat group known as APT-Q-27, also referred to as GoldenEyeDog, has been linked to the initial breach. Security researchers noted that the group has previously targeted certificate authorities to undermine trust in digital signatures. The exposure of initialization codes represents a significant escalation in the group's capabilities, potentially enabling the creation of undetectable malware signed with valid certificates.
Microsoft acknowledged the error and issued a patch to restore the legitimate certificates to trust stores. The company stated that it is working to refine its detection algorithms to prevent similar false positives in the future. DigiCert is reviewing its security protocols and has begun revoking potentially compromised certificates to mitigate the risk of unauthorized use.
The incident highlights the challenges of balancing security and usability in certificate management. False positives can disrupt critical services, while false negatives can allow malicious actors to operate undetected. The global nature of the impact underscores the interconnectedness of digital infrastructure and the importance of accurate threat intelligence.
Questions remain regarding the full extent of the breach and whether any fraudulent certificates were successfully issued before the exposure was detected. Security experts are monitoring the situation for signs of exploitation and advising organizations to verify the integrity of their certificate chains. The incident may prompt a broader review of certificate authority security practices and the mechanisms used to detect and respond to breaches in the digital trust ecosystem.