D-Link's digital certificate disclosing could allow spoofing

Martin Brinkmann
Sep 27, 2015

D-Link Corporation disclosed four digital certificates recently inadvertently that attackers could use to spoof content.

While the certificates cannot be used to issue others or impersonate domains, they can be used to sign code which attackers could use to (better) disguise malware as legitimate software.

Microsoft has released a security advisory and an update to remove the affected digital certificates from supported versions of Windows. D-Link has revoked the certificates in the meantime as well.

The four leaked digital certificates are:

Certificate Issued by                    Thumbprint
DLINK CORPORATION Symantec Corporation ‎‎3e b4 4e 5f fe 6d c7 2d ed 70 3e 99 90 27 22 db 38 ff d1 cb
Alpha Networks Symantec Corporation ‎‎73 11 e7 7e c4 00 10 9d 6a 53 26 d8 f6 69 62 04 fd 59 aa 3b
KEEBOX GoDaddy.com, LLC 91 5a 47 8d b9 39 92 5d a8 d9 ae a1 2d 8b ba 14 0d 26 59 9c
TRENDnet GoDaddy.com, LLC db 50 42 ed 25 6f f4 26 86 7b 33 28 87 ec ce 2d 95 e7 96 14

The issue affects all current Microsoft operating systems that are still supported by the company starting with Windows Vista Service Pack 2 to Windows 10 on the client side, and Windows Server 2008 Service Pack 2 to Windows Server 2012 R2 on the server side.

The update is delivered automatically to all supported operating systems.Windows Vista, Windows 7, Windows Server 2008 and 2008 R2 systems need to have the "automatic updater of revoked certificates" installed. Microsoft customers in disconnected environments need to consult the following Microsoft Knowledgebase article for additional information.

One way to check that it has been applied is to verify this through the Event Viewer.

  1. Tap on the Windows-key, type Event Viewer and hit enter.
  2. Select Action > Create Custom View.
  3. Select "by source" and then the source CAPI2.
  4. Click ok, and on the next screen ok again.
  5. Wait until the list of events has been loaded and scroll down to the very bottom.
  6. You should see an information level event with the Event ID 4112 there.
  7. Double-click on it. It should have the description: Successful auto update of disallowed certificate list with effective date.

The update has not been applied yet if you don't see it listed yet in the Event Viewer. (via Deskmodder)

D-Link's digital certificate disclosing could allow spoofing
Article Name
D-Link's digital certificate disclosing could allow spoofing
Microsoft has revoked four digital certificates issues by D-Link which were inadvertently disclosed recently by the company.

Previous Post: «
Next Post: «


  1. Ron C. said on September 27, 2015 at 6:53 pm

    I don’t have this update. So I went to download the “automatic updater of revoked certificates” but when I tried to install it, I got a message saying it’s not applicable to my system. Now what do I do?

    1. Martin Brinkmann said on September 27, 2015 at 7:57 pm

      Did you check in the Event Viewer?

      1. Ron C. said on September 28, 2015 at 2:08 am

        Well I finally found it under Windows Logs >> Application. I assumed it would be under Windows Logs >> Security.

      2. Tom Hawack said on September 27, 2015 at 8:20 pm

        I checked this morning and missed the log with Nirsoft’s MyEventViewer because I focused on today 2015-09-27.

        I just searched for Event Id = 4112 and indeed found two of them dated 23 and 25 September 2015, both stating unauthorized certificates list update (translated from French).

        Thanks, Martin, in this way that your question made me check deeper before confirming my first result…

        I prefer, I had it in mind like an itching parasite …

    2. Tom Hawack said on September 27, 2015 at 7:38 pm

      Same here on Windows 7SP1… spent half an hour to try to figure out, no way. And don’t count on Microsoft to bother : they conceive the world as composed of admins exclusively the same way we would all be using the Web in an office, from an office, between offices, with office work & standards, all of us, the planet being a gigantic office :)

  2. chesscanoe said on September 27, 2015 at 4:46 pm

    This procedure worked positively for me on Windows 10 re the subject of interest, but it was a bit disconcerting to note other unrelated failures in the view….

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.