Microsoft has issued an emergency patch to address improperly issued SSL certificates that could be used in attempts to spoof Google and Yahoo! content, perform phishing attacks or perform man-in-the-middle (MiiM) attacks against Windows users.
The software giant said in its advisory that SSL certificates were improperly issued by the National Informatics Centre (NIC), which operates subordinate CAs under root CAs operated by the Government of India Controller of Certifying Authorities (CCA). The details were a bit shadowy, and Microsoft said only that “the subordinate CA has been misused to issue SSL certificates for multiple sites, including Google web properties. Subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.”
Computers and SSL systems for everything from online banking to e-commerce sites to webmail are designed to trust a long list of authorities in order to verify the auhenticity of servers, but certificate authorities are no strangers to being compromised and used to sign counterfeit certificates on behalf of cybercriminals. Some say that the system itself is flawed, and needs to be re-architected.
“The Microsoft advisory about fake Google and Yahoo! certificates in the wild underscores the key risks of using public key infrastructure (PKI) to ensure the authenticity of a remote party,” said Craig Young, security researcher at Tripwire, in a comment to Infosecurity. “The system we use for securing websites is based on the network of trusted certificate authorities and subordinate authorities. When any one of these authorities is controlled by someone with malicious intentions it’s possible to impersonate services such as web sites, email and file transfer. The malicious possibilities are limitless.”
One of the best ways to protect users from this type of threat is through the use of pinned certificates, in which software is designed to require specific certificates instead of allowing any certificate signed by a 'trusted' authority.
“This practice is used in the Gmail app for Android, for example,” Young said. “Unfortunately, this approach does not scale for general web browsing. To protect themselves from these kinds of incidents users may want to remove trust for regional certificate authorities that aren’t needed in the user's locale.”
The good news is that as a security concern for end-users, it will essentially address itself because most certificates will be revoked automatically on most modern Windows systems. Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows (i.e, not XP) to remove the trust of certificates that are causing the issue, and an automatic update reflecting the revoked certificates has been pushed out for the affected systems: Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8 or Windows Phone 8.1. Older versions (Windows Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2) will also get the automatic update, but users will need to ensure that the updater is installed.