Microsoft Security Update Advisory 2982792 Block Fake SSL Certificates
Microsoft is aware of improperly issued SSL certificates that could
be used in attempts to spoof content, perform phishing attacks, or
perform man-in-the-middle attacks. The SSL certificates were improperly
issued by the National Informatics Centre (NIC), which operates
subordinate CAs under root CAs operated by the Government of India
Controller of Certifying Authorities (CCA), which are CAs present in the
Trusted Root Certification Authorities Store. This issue affects all
supported releases of Microsoft Windows. Microsoft is not currently
aware of attacks related to this issue.
The subordinate CA has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties. The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.
To help protect customers from potentially fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue. For more information about these certificates, see the Frequently Asked Questions section of this advisory.
Recommendation. An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8 or Windows Phone 8.1. For these operating systems or devices, customers do not need to take any action because the CTL will be updated automatically.
The subordinate CA has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties. The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.
To help protect customers from potentially fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue. For more information about these certificates, see the Frequently Asked Questions section of this advisory.
Recommendation. An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8 or Windows Phone 8.1. For these operating systems or devices, customers do not need to take any action because the CTL will be updated automatically.
A week after the search engine giant Google spotted and blocked
unauthorized digital certificates for a number of its domains that could
result in a potentially serious security and privacy threat, Microsoft
has responded back to block the bogus certificates from being used on
its software as well.
"Today, we are updating the Certificate Trust List (CTL) for all
supported releases of Microsoft Windows to remove the trust of
mis-issued third-party digital certificates," said Dustin Childs, group manager of response communications.
The fake digital certificates,
issued by the National Informatics Centre (NIC) of India - a unit of
India’s Ministry of Communications and Information Technology, were
uncovered at the beginning of this month by Google's security team.
Microsoft officials warned the country's certification authorities as
well as Microsoft, because the certificates issued by NIC are included
in the Microsoft Root Store and so are trusted by a large number of
applications running on Windows, including Internet Explorer and Chrome.
Yet, Microsoft is not aware of any kind of attack leveraging this issue,
but millions of websites operated by banks, e-commerce companies and
other types of online services make use of such kind of cryptographic
credentials to encrypt the web traffic and prove the authenticity of
their servers.
source: https://technet.microsoft.com/
No comments
Post a Comment