Spoofed Google and Yahoo SSL Certs Blocked by Microsoft
In a security advisory released by Microsoft today, 45 sensitive secure sockets layer (SSL) certificates that have been unofficially issued by hackers are now blocked for Windows systems.
Security Advisory 2982792, which Microsoft titled "Improperly Issed Digital Certificates Could Allow Spoofing," applies to all supported versions of Windows OS and Windows Server.
"Microsoft is aware of improperly issued SSL certificates that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks," read the security advisory. "The SSL certificates were improperly issued by the National Informatics Centre (NIC), which operates subordinate CAs [certificate authorities] under root CAs operated by the Government of India Controller of Certifying Authorities (CCA), which are CAs present in the Trusted Root Certification Authorities Store."
According to Microsoft, one of the subordinate certificate authorities had been manipulated to issue the 45 spoofed SSL certificates, all appearing to be legitimately originating from Google, Yahoo and one for static.com, a cloud platform-as-a-service company. Some include google.com, mail.google.com, login.yahoo.com, mail.yahoo.com and subscribe.yahoo.com, to name a few.
For those Windows 7, Vista, Windows Server 2008 and Windows Server 2008 R2 users with automatic updates enabled and all Windows 8/8.1/RT and Windows Server 2012/2012 R2 users, the update to the Certificate Trust list (CTL) will be automatically applied. Those without automatic updates enabled will not receive the CTL update and will have to either activate it to get the spoofed certificates added to the blocked list or manually install the update from here.
While Microsoft has said that there has been no known attacks pulled off with the blacklisted certificates, users on unprotected systems could have their traffic monitored by an attacker.
Even though no malicious actions were taken, security researcher Craig Young at Tripwire said today's advisory is a reminder that using public key infrastructures to authenticate certificates is a flawed system. "The system we use for securing Web sites is based on the network of trusted certificate authorities and subordinate authorities," said Young in an e-mailed statement. "When any one of these authorities is controlled by someone with malicious intentions it's possible to impersonate services such as web sites, email, and file transfer. The malicious possibilities are limitless."
Young said it may be worth looking into a system similar to how the Gmail app for Android functions, in which software can only accept "pinned" certificates instead of issuing new certificates (which will continue to be targeted by attackers). However, Young acknowledged that how the Web is currently set up today, this would not be practical.