You are here

T-586: Microsoft Advisory about fraudulent SSL Certificates

March 23, 2011 - 3:05pm

Addthis

PROBLEM:

Microsoft just released an advisory alerting its customers that a total of 9 certificates were issued using the leaked/stolen CA certificated from Comodo.

PLATFORM:

These certificates affect the following Web properties:

login.live.com
mail.google.com
www.google.com
login.yahoo.com (3 certificates)
login.skype.com
addons.mozilla.org
"Global Trustee"

ABSTRACT:

Microsoft Advisory about fraudulent SSL Certificates.

reference LINKS:

Microsoft Security Advisory: 2524375
ISC 2011-03-23
Security updates

IMPACT ASSESSMENT:

High

Discussion:

Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows.

Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.

Comodo has revoked these certificates, and they are listed in Comodo's current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.

Impact:

An attacker could use these certificates to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.

A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker's computer without the knowledge of the two communicating users. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user.

Probably even worse then the possible man in the middle attacks that may have happened is the simple fact that this fundamentally breaks the trust model of SSL. SSL is using a "trust pyramid", A few certificate authorities are trusted to issue certificates to entities they trust.

Solution:

The majority of customers have automatic updating enabled and will not need to take any action because this update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually.
Windows downloads

For administrators and enterprise installations, or end users who want to install this update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.
Microsoft Update

 

 

 

Addthis