bit-tech.net

Microsoft issues emergency certificate patch

Microsoft issues emergency certificate patch

Microsoft has released an out-of-band security patch for Windows to address fraudulently obtained SSL certificates implicitly trusted by the operating system.

Microsoft has issued an emergency out-of-band security update for its Windows operating systems mere days after its regular Patch Tuesday release cycle, to address forged security certificates trusted by the platform.

Microsoft typically releases updates and security patches on the second Tuesday of every month, known as Patch Tuesday. Following July's Patch Tuesday release earlier this week, however, Microsoft was forced to issue an out-of-band emergency patch when it was discovered that forged encryption certificates for big-name sites including Google had been generated from the National Informatics Centre of India's certificate server.

In total, it was discovered that attackers had gained access to the certificate generation systems within NIC and had issued at least 45 certificates that would allow them to pose as companies ranging from email providers and search engines to banks and credit card processors. With NIC being a trusted certificate provider, meaning the fraudulently obtained certificates would not display an error when loaded, the issue was considered serious enough for Microsoft to issue the out-of-band patch.

'The subordinate CA has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties,' Microsoft warned in its emergency bulletin. 'The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.'

The update is being pushed out automatically to all Windows 8 and Windows 8.1 users, along with users of older Windows releases who have installed a recommended Windows Update patch that adds certificate revocation support to the OS.

5 Comments

Discuss in the forums Reply
Gareth Halfacree 11th July 2014, 20:32 Quote
Quote:
Originally Posted by koaschten
come on, at least try to do some serious journalism...
Member since 2011. 10 posts. Your valuable input to the site is noted, dear reader.
Gambler FEX online 13th July 2014, 12:29 Quote
Quote:
Originally Posted by koaschten
Source? KB number?
come on, at least try to do some serious journalism...

https://technet.microsoft.com/en-us/library/security/2982792
http://googleonlinesecurity.blogspot.de/2014/07/maintaining-digital-certificate-security.html

Second link is interesting, they claim this only affect Windows and its 3rd party applications and browsers. IE has its own root store, and Chrome, Android OS, iOS etc dosen't even use the Indian certificate provider.
mi1ez 13th July 2014, 23:33 Quote
Quote:
Originally Posted by Gareth Halfacree
Quote:
Originally Posted by koaschten
come on, at least try to do some serious journalism...
Member since 2011. 10 posts. Your valuable input to the site is noted, dear reader.

I sniggered somewhat...
RedFlames 14th July 2014, 03:35 Quote
Quote:
Originally Posted by Gareth Halfacree
Member since 2011. 10 posts. Your valuable input to the site is noted, dear reader.

Whilst he could've phrased it better, personally I think with stories like this it'd be nice to have a link to the official announcement [if there is one... which there isn't always]... even if it's 'if you wanna try and decipher the official announcement, here's the link, knock yourself out...' tagged onto the end...
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums