Categories: Security

Microsoft Warns Of Possible Attacks Using False SSL Certificate

Microsoft has warned that a counterfeit SSL certificate has been issued for its live.fi domain, and could be used to launch convincing man-in-the-middle attacks on any version of Windows.

“Microsoft is aware of an improperly issued SSL certificate for the domain ‘live.fi’ that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks,” Microsoft stated in an advisory. “It cannot be used to issue other certificates, impersonate other domains, or sign code… Microsoft is not currently aware of attacks related to this issue.”

The certificate, issued by Comodo, has already been revoked, but it is relatively easy to carry out attacks using revoked certificates, according to security researchers. Most browsers maintain hard-coded lists of revoked certificates in order to protect against such attacks, with Google and Mozilla expected to release updates for their browsers imminently.

Certain versions of Windows – Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012 and Windows Server 2012 R2, as well as Windows Phone 8 and Windows Phone 8.1 – include an automatic updater of revoked certificates, so that users of those systems don’t need to take any action, Microsoft said.

Users of other versions of Windows can install the automatic updater themselves, or, if they don’t wish to do so, can manually install the update in question to remove the trust of the revoked certificate, according to Microsoft.

Privileged email account

The company didn’t specify exactly how the certificate came to be issued in the first place, only stating that the incident involved a “misconfigured privileged email account”.

“An email account was able to be registered for the live.fi domain using a privileged username, which was subsequently used to request an unauthorised certificate for that domain,” Microsoft stated.

Such email accounts typically include those beginning with admin, administrator, postmaster, hostmaster or webmaster, according to Comodo.

The incident highlights one of the weaknesses in the SSL system used to encrypt most sensitive web traffic – the ease with which it is possible to obtain fraudulent certificates, compared to the relative difficulty of removing trust in such certificates.

In most browsers, if information regarding the trust in a certificate can’t be obtained, the browser will by default treat the certificate as trusted. As security researchers have demonstrated, that means attacks can be carried out using untrusted certificates by simply suppressing the response that indicates to the browser that the certificate has been revoked.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago