Microsoft released an emergency Windows update for devices, both PCs and Windows phones, running an unsecured version infiltrated with bogus SSL certificates, giving attackers the ability to impersonate Google and Yahoo! websites.
In a security advisory notice published on Microsoft’s blog, Microsoft claimed the dozens of SSL certificates could be used to “spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties.”
Tripwire security researcher Craig Young said, “The Microsoft advisory underscores the key risks of using public key infrastructure (PKI) to ensure the authenticity of a remote party. The system we use for securing websites is based on the network of trusted certificate authorities and subordinate authorities.”
The 45 fraudulent certificates were found to be issued by the National Informatics Centre (NIC) of India—a unit of India’s Ministry of Communications and Information Technology—nearly two weeks ago by Google’s security team.
The update released addressed systems running Windows Vista, Windows 7, Windows Server 2008 or 2008 R2. The Certificate Trust List (CTL) on these software versions will be updated automatically, or can be updated manually for users without the automatic updater installed.
Manager of security research at Tripwire, Tyler Reguly said, “It is always unfortunate when this happens, but the advisory is basically the end of the problem.”
“Once the certificates are added to the CRL, the problem becomes moot. It’s when people are unaware of the issue that it cause harm,” said Reguly. “This is one of the inherent risks in the current system we use; it’s possible for mistakes and malicious actions to lead to improperly issued certificates.”
At this time, Microsoft says no attacks leveraging this issue have been reported.
A list of all affected software and additional information is available here.
Read More Here…