Most supported versions of Windows have received an emergency update from Microsoft to prevent attacks that abuse digital certificates issued recently, which are impersonating Google and Yahoo. Undiscovered fraudulent credentials also get a warning from company officials for other domains still in the wild.
Following the unplanned update coming from Microsoft, as good as 45 highly sensitive SSL certificates were blocked effectively. These certificates were generated by the hackers who managed to compromise the systems operated by National Informatics Centre (NIC) of India.
This center is trusted by all the supported versions of Windows and is a transitional (or an intermediate) certificate authority (CA). To prove the prove the authenticity of their servers and secure the data passing over the open Internet, such cryptographic credentials are used in several e-commerce and online banking websites along with few types of online services as well. As mentioned in the blog-entry at Ars, fake certificates imitating Google, Yahoo or any other domain present a great risk to the Windows users.
“These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Web properties,” warns a Microsoft advisory. The advisory also hints at the possibility of the subordinate CAs being used to issue certificates for several other sites still unknown, which could be facing similar attacks.
An immediate update on the revocation status will be received on the computers running following Window versions: 8, 8.1, RT, RT 8.1, Server 2012, Server 2012 R2, Phone 8 or Phone 8.1. Users do not have to take any action, as an automatic updater for revoked certificates, which is enabled already in these versions, will perform the task of updating the Windows Certificate Trust list.
However, users having Windows Vista 7, Server 2008 or Server 2008 RS may not have such automatic updater installed already into their systems. All the users who do not have the updater installed or are uncertain about its status can install it themselves or ensure it is installed by following the installation procedure mentioned here. As of now, counterfeit certificates cannot be revoked from the systems running Windows Server 2003.
In the advisory released on Thursday, a list of 45 vulnerable URLs was generated. These URLs were found to be susceptible to spoofing by the fraudulent certificates that originated from a hack on India-based CA recently.
The fake certificates covered several sub-domains for Google, yahooapis.com, Yahoo, yahoo-inc.com, gstatic.com and static.com. Unscheduled update has conveniently hardwired the revocation directly into Windows for these particular certificates.
This preventive measure stops attackers from bypassing real-time certificate verification checks, which are performed by the online certificate status protocol. Based on the what Ars reported on Wednesday and Microsoft’s warning on Thursday, security experts are not ruling out any possibilities of hackers generating additional bogus certificates that are covering same or different domains.
Trust in three intermediate certificates that belong to NIC is revoked by the update. This move turns all domain certificates, which also include an unknown number of legitimate ones, issued under such intermediate certificates invalid. Damage caused on the security-front due to this move can create a lot of problem to all the people attempting to access SSL-protected sites that rely on one of the NIC intermediate certificates.
Risks posed by any undiscovered certificates could have been eliminated by Microsoft if it had updated its Certificate Trust list to remove root certificate from India’s Controller of Certifying Authorities (CCA), which manages the compromised NIC. Such move could have led many legitimate sites to display SSL errors, an analysis that probably drove Microsoft to take a decision to revoke only the individual domain certificates known to be bogus. Options presented by Microsoft are a stark contrast to those available to engineers of Google Chrome.
The granular controls present in that browser allow it to accept just the small subset of CCA-authorized certificates, which carried India’s ‘.in’ top level domains. Windows users are advised to ensure that their systems are updated as soon as possible. Some additional protection can be accessed from Microsoft’s Enhanced Mitigation Experience Toolkit. Chrome for Windows is immune to most attacks, as noted earlier, because of CCA-authorized certificates’ limitation to the .in top level domain. Users of default versions of Mac OS X, Linux and other operating systems are also safe, as in their cases, CCA-authorized sites are not trusted.