Windows users exposed to fraudulent Yahoo and Google sites

Microsoft has removed trust for digital certificates issued by an Indian government agency that exposed Windows users to man-in-the-middle attacks through fake Google and Yahoo domains.

As reported on Monday, Google blocked rogue digital certificates issued by India’s National Informatics Centre (NIC) that allowed an attacker to impersonate several of its domains.

NIC held intermediate or subordinate CA certificates that are trusted by India’s root certifying authority (CA). Its certificates are included in the Microsoft Root Store, which meant only applications running on Windows were exposed to risks from the rogue certificates. In Google’s case that meant Chrome users could be duped into visiting a bogus Google domain; Internet Explorer was also equally exposed while Firefox users were not since the browser has on its own root store that didn't include these certificates.

Microsoft acknowledged the issue at the time, however until Thursday it didn’t have a fix, which will  roll out automatically to most but not all Windows systems by way of an update to Microsoft’s Certificate Trust List (CTL) that removes trust for NIC’s “mis-issued” certificates.

“We have been working diligently on the mis-issued third-party certificates and have untrusted the related Subordinate Certification Authority certificates to ensure that our customers remain protected. Customers with automatic updates enabled do not need to take any action to remain protected,” a Microsoft spokesperson said in statement.

In an advisory Microsoft explained that the bogus SSL certificates “could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties.”

“The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks,” Microsoft added in its advisory. 

Microsoft said that domains exposed to attacks using the certificates include several Gmail and Google Mail domains, as well as over a dozen Yahoo domains, among them two Australian Yahoo domains: and

Consumers and in particular enterprise organisations running Windows should take special note of their system’s version in this update. The new CRL only revokes trust for the bogus certificates automatically on some systems. 

Read more: Portal targets large-scale risk management on Internet of Things

Systems that will automatically receive the updated CTL include Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and devices running Windows Phone 8 or Windows Phone 8.1.

Machines running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates will also get the CTL update automatically. However the only way for customers who haven’t installed the automatic updater to get it is by installing it. Details for how to do that can be found here.  And anyone running Windows Server 2003, which is already past its mainstream support end date, is out in the cold. Microsoft said it will update the advisory “at such time as an update becomes available”.

Newer versions of Microsoft’s Enhanced Mitigation Experience Toolkit should also help customers mitigate threats from rogue SSL certificates, according to Dustin Childs, Microsoft’s Trustworthy Computing response communications manager.

“The Enhanced Mitigation Experience Toolkit (EMET) 4.1, and newer versions, help to mitigate man-in-the-middle attacks by detecting untrusted or improperly issued SSL certificates through the Certificate Trust feature,” he noted

Follow Liam Tung on Twitter 

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags YahooGoogleMicrosoftsecurityCA certificatesSSL Certificatesdigital certificateswindows server 2003Microsoft root store

More about CSOEnex TestLabGoogleMicrosoftNICToolkitYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place