Microsoft issues emergency certificate patch
July 11, 2014 | 11:36
Microsoft has issued an emergency out-of-band security update for its Windows operating systems mere days after its regular Patch Tuesday release cycle, to address forged security certificates trusted by the platform.
Microsoft typically releases updates and security patches on the second Tuesday of every month, known as Patch Tuesday. Following July's Patch Tuesday release earlier this week, however, Microsoft was forced to issue an out-of-band emergency patch when it was discovered that forged encryption certificates for big-name sites including Google had been generated from the National Informatics Centre of India's certificate server.
In total, it was discovered that attackers had gained access to the certificate generation systems within NIC and had issued at least 45 certificates that would allow them to pose as companies ranging from email providers and search engines to banks and credit card processors. With NIC being a trusted certificate provider, meaning the fraudulently obtained certificates would not display an error when loaded, the issue was considered serious enough for Microsoft to issue the out-of-band patch.
'The subordinate CA has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties,' Microsoft warned in its emergency bulletin. 'The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.'
The update is being pushed out automatically to all Windows 8 and Windows 8.1 users, along with users of older Windows releases who have installed a recommended Windows Update patch that adds certificate revocation support to the OS.