Microsoft has removed trust for digital certificates issued by an Indian government agency that exposed Windows users to man-in-the-middle attacks through fake Google and Yahoo domains.
As CSO.com.au reported on Monday, Google blocked rogue digital certificates issued by India’s National Informatics Centre (NIC) that allowed an attacker to impersonate several of its domains.
NIC held intermediate or subordinate CA certificates that are trusted by India’s root certifying authority (CA). Its certificates are included in the Microsoft Root Store, which meant only applications running on Windows were exposed to risks from the rogue certificates. In Google’s case that meant Chrome users could be duped into visiting a bogus Google domain; Internet Explorer was also equally exposed while Firefox users were not since the browser has on its own root store that didn't include these certificates.
Microsoft acknowledged the issue at the time, however until Thursday it didn’t have a fix, which will roll out automatically to most but not all Windows systems by way of an update to Microsoft’s Certificate Trust List (CTL) that removes trust for NIC’s “mis-issued” certificates.
“We have been working diligently on the mis-issued third-party certificates and have untrusted the related Subordinate Certification Authority certificates to ensure that our customers remain protected. Customers with automatic updates enabled do not need to take any action to remain protected,” a Microsoft spokesperson said in statement.
In an advisory Microsoft explained that the bogus SSL certificates “could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties.”
“The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks,” Microsoft added in its advisory.
Microsoft said that domains exposed to attacks using the certificates include several Gmail and Google Mail domains, as well as over a dozen Yahoo domains, among them two Australian Yahoo domains: au.api.reg.yahoo.com and au.reg.yahoo.com.
Consumers and in particular enterprise organisations running Windows should take special note of their system’s version in this update. The new CRL only revokes trust for the bogus certificates automatically on some systems.
Systems that will automatically receive the updated CTL include Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and devices running Windows Phone 8 or Windows Phone 8.1.
Machines running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates will also get the CTL update automatically. However the only way for customers who haven’t installed the automatic updater to get it is by installing it. Details for how to do that can be found here. And anyone running Windows Server 2003, which is already past its mainstream support end date, is out in the cold. Microsoft said it will update the advisory “at such time as an update becomes available”.
Newer versions of Microsoft’s Enhanced Mitigation Experience Toolkit should also help customers mitigate threats from rogue SSL certificates, according to Dustin Childs, Microsoft’s Trustworthy Computing response communications manager.
“The Enhanced Mitigation Experience Toolkit (EMET) 4.1, and newer versions, help to mitigate man-in-the-middle attacks by detecting untrusted or improperly issued SSL certificates through the Certificate Trust feature,” he noted.
This article is brought to you by Enex TestLab, content directors for CSO Australia.