Microsoft issues Emergency Windows Update to Block Fake SSL Certificates
2014-07-14, 12:17 PM,
#1
[Image: microsoft-update.jpg]

Quote:Today, Microsoft has issued an emergency update for almost all versions of Windows and also for Microsoft devices running Windows Phone 8 and 8.1 to secure users from attacks that abuse the latest issued rogue SSL certificates, which could be used to impersonate Google and Yahoo! websites.

A week after the search engine giant Google spotted and blocked unauthorized digital certificates for a number of its domains that could result in a potentially serious security and privacy threat, Microsoft has responded back to block the bogus certificates from being used on its software as well.

"Today, we are updating the Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of mis-issued third-party digital certificates," said Dustin Childs, group manager of response communications.

The fake digital certificates, issued by the National Informatics Centre (NIC) of India - a unit of India’s Ministry of Communications and Information Technology, were uncovered at the beginning of this month by Google's security team.

Microsoft officials warned the country's certification authorities as well as Microsoft, because the certificates issued by NIC are included in the Microsoft Root Store and so are trusted by a large number of applications running on Windows, including Internet Explorer and Chrome.

Yet, Microsoft is not aware of any kind of attack leveraging this issue, but millions of websites operated by banks, e-commerce companies and other types of online services make use of such kind of cryptographic credentials to encrypt the web traffic and prove the authenticity of their servers.

"These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Web properties," a Microsoft advisory warned. "The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks."

The Certificate Trust list (CTL) update has been rolled out to all users who have automatic updates enabled, and for those who do not have the automatic updater of revoked certificates installed, Microsoft has released a patch that can be manually installed.

The emergency update addresses all Microsoft PC operating systems including Windows Vista, Windows version 8, 8.1, RT, RT 8.1, Server 2012, Server 2012 R2, and its Windows Phone 8 software. At this moment, there is no update available for systems running Windows Server 2003 to revoke the fraudulent certificates – Microsoft says it will issue an update as soon as one becomes available. Also Server 2003 support ends next year, but the company will provide a fix before then

Source
Reply
2014-07-17, 04:12 AM,
#2
There are so many fake SSL certificates nowadays..

Any questions related to CPA belong here.
Before posting, make sure you are in the correct section.

I am temporarily absent due to family circumstances.

Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  [INDIA UPDATE] 18% GST for PAYPAL/PAYONEER trafficbeast 29 657 2017-09-09, 09:08 PM
Last Post: trafficbeast
  Update - Not Going anymore this year! Going to join the army JohnWick 21 788 2017-08-31, 09:18 PM
Last Post: JohnWick
  Turkish authorities block Wikipedia without giving reason ann627 3 228 2017-04-30, 01:04 PM
Last Post: reshamanair
  Linux vs Windows Flipin_jackass 12 451 2017-04-22, 05:14 AM
Last Post: EctaPrime
  Windows ten spying on every image you look at. DutchPride 47 2,008 2017-04-06, 04:02 AM
Last Post: minatika




About Us | Contact Us | CPA Elites | Advertise | Stats | Staff Team

© 2013-2017 CPA Elites Ltd
Enhanced by MyBB and WallBB
Return to top