Emergency Windows update revokes dozens of bogus Google, Yahoo SSL certificates

Microsoft has issued an emergency update for most supported versions of Windows to prevent attacks that abuse recently issued digital certificates impersonating Google and Yahoo. Company officials warned undiscovered fraudulent credentials for other domains may still be in the wild.

Thursday's unscheduled update effectively blocks highly sensitive secure sockets layer (SSL) certificates covering 45 domains that hackers managed to generate after compromising systems operated by the National Informatics Centre (NIC) of India. That's an intermediate certificate authority (CA) whose certificates were automatically trusted by all supported versions of Windows. Millions of sites operated by banks, e-commerce companies, and other types of online services use such cryptographic credentials to encrypt data passing over the open Internet and to prove the authenticity of their servers. As Ars explained Wednesday, the counterfeit certificates pose a risk to Windows users accessing SSL-protected sections of Google, Yahoo, and any other affected domains.

"These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Web properties," a Microsoft advisory warned. "The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks."

Read 5 remaining paragraphs | Comments

Microsoft Releases Security Advisory for Improperly Issued Digital Certificates

Original release date: July 10, 2014

Microsoft has released a security advisory to address improperly issued SSL certificates that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

Users and administrators are encouraged to review Microsoft Security Advisory 2982792 and apply the necessary updates.

 


This product is provided subject to this Notification and this Privacy & Use policy.