Microsoft has released a security advisory to address improperly issued SSL certificates that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. According to Microsoft Advisory, the SSL certificates were improperly issued by the National Informatics Centre (NIC), which operates subordinate CAs under root CAs operated by the Government of India Controller of Certifying Authorities (CCA), which are CAs present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows.
The improperly issued subordinate CA certificate has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. The subordinate CA certificate may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.
3.0 List of affected google web properties
4.0 Affected Product
List of affected Microsoft product :
- Windows XP Service Pack 3
- Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista Service Pack 2
- Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for Itanium-based Systems Service Pack 2
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
- Windows 8 for 32-bit Systems
- Windows 8 for x64-based Systems
- Windows 8.1 for 32-bit Systems
- Windows 8.1 for x64-based Systems
- Windows RT
- Windows RT 8.1
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 R2 for x64-based Systems (Server Core installation)
- Windows Server 2012 (Server Core installation)
- Windows Server 2012 R2 (Server Core installation)
- Windows Phone 8
Users are recommended to perform the update immediately for supported releases of Microsoft Windows.
5.1 Automatic update revoke certificate
Included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8.
For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070)
Customers do not need to take any action because the Certificate Trust List (CTL) will be updated automatically.
5.2 Customers who choose not to install the automatic updater of revoked certificates
For customers running Windows XP or Windows Server 2003, or for customers who choose not to install the automatic updater of revoked certificates, Microsoft recommends that the 2917500 update be applied immediately using update management software, by:
- Checking for updates using the Microsoft Update service, or
- Downloading and applying the update manually. See Microsoft Knowledge Base Article 2917500 for download links.
5.3 Additional suggested action
- MyCERT also advises users to install the latest security updates for their computers and make sure their Anti-virus software is updated with latest signature files. Read Understanding Anti-Virus Software for more information.
- Good passwords management. Users are advice to use strong passwords which at least contain 8 characters in length, combination upper and lowercase, numerical character and special character. To maintain secure password, users are advice do not share password with anyone for any reason, change password periodically, avoid reuse a password, use passphrase instead a password, and avoid use same password for multiple accounts.
- Patch operating system and software. Users are advised to ensure that operation systems and any installed software are fully patched, and firewall software are up to date and operational
Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail : [email protected] or [email protected]
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours : Mon - Fri 09:00 -18:00 MYT