Microsoft warns of hack attempt on Windows Live, Google, Yahoo, Skype, Mozilla
Nine fake certificates were issued and revoked prompting Microsoft to release an out-of-band security update.
By Microsoft Subnet on Wed, 03/23/11 - 2:14pm.
Microsoft issued a warning today that nine fraudulent digital certificates were issued by root certificate authority, Comodo Group. Although the certificates were quickly revoked, their initial release still poses a threat to browser users, including users of Internet Explorer. This is not a security flaw in Microsoft software, the company says, but it released a security update for Windows all the same.
The nine fake certificates affect the following Web sites, Microsoft says:
Says Microsoft:
An alternative way for Web browsers to validate the identity of a digital certificate is by using the Online Certificate Status Protocol (OCSP). OCSP allows interactive validation of a certificate by connecting to an OCSP responder, hosted by the Certificate Authority (CA) which signed the digital certificate. Every certificate should provide a pointer to the OCSP responder location through the Authority Information Access (AIA) extension in the certificate. In addition, OCSP stapling allows the Web server itself to provide an OCSP validation response to the client.
OCSP validation is enabled by default on Internet Explorer 7 and later versions of Internet Explorer on supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. On these operating systems, if the OCSP validation check fails, the browser will validate the certificate by contacting the CRL Location. For more information on certificate revocation checking, see the TechNet article, Certificate Revocation and Status Checking.
So, if the browser will automatically check to see if the certificate is valid and, discover that it isn't, why issue a patch at all?
The OCSP system relies on being able to reach the CA's Certificate Revocation List (CRL). If the users can't get to that server, the browser assumes that the certificate issued by a trusted root authority is A-OK, uses it and by then the damage could be done.
Explains Microsoft:
Even when CRL and OCSP validation is enabled, validation techniques are not sufficiently robust to guarantee that users are protected against malicious use of these certificates. When the CRL location and OCSP responder can be reached, validation checks are highly reliable and effective.
However, when certificate revocation checks fail due to network and connectivity issues, browsers and other client applications, including Internet Explorer, may ignore these errors and consider the certificate trustworthy due to the lack of proof otherwise. In these scenarios, customers may still be affected.
Microsoft says it has not seen any attacks in the wild. Nevertheless, its Windows patch will be pushed out to users of its Windows Automatic Updates to ensure that the fraudulent certificates are not treated by IE as if they were valid. For enterprises that don't use Automatic Updates, the patch is available from the Microsoft Download Center.
The patch does not require a reboot. Here is more information on Security Advisory 2524375.
http://www.networkworld.com/community/blog/microsoft-warns-hack-attempt-windows-live-goo?source=NWWNLE_nlt_daily_pm_2011-03-23
By Microsoft Subnet on Wed, 03/23/11 - 2:14pm.
Microsoft issued a warning today that nine fraudulent digital certificates were issued by root certificate authority, Comodo Group. Although the certificates were quickly revoked, their initial release still poses a threat to browser users, including users of Internet Explorer. This is not a security flaw in Microsoft software, the company says, but it released a security update for Windows all the same.
The nine fake certificates affect the following Web sites, Microsoft says:
- login.live.com (Windows Live)
- mail.google.com
- www.google.com
- login.yahoo.com (3 certificates)
- login.skype.com
- addons.mozilla.org
- "Global Trustee"
Says Microsoft:
An alternative way for Web browsers to validate the identity of a digital certificate is by using the Online Certificate Status Protocol (OCSP). OCSP allows interactive validation of a certificate by connecting to an OCSP responder, hosted by the Certificate Authority (CA) which signed the digital certificate. Every certificate should provide a pointer to the OCSP responder location through the Authority Information Access (AIA) extension in the certificate. In addition, OCSP stapling allows the Web server itself to provide an OCSP validation response to the client.
OCSP validation is enabled by default on Internet Explorer 7 and later versions of Internet Explorer on supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. On these operating systems, if the OCSP validation check fails, the browser will validate the certificate by contacting the CRL Location. For more information on certificate revocation checking, see the TechNet article, Certificate Revocation and Status Checking.
So, if the browser will automatically check to see if the certificate is valid and, discover that it isn't, why issue a patch at all?
The OCSP system relies on being able to reach the CA's Certificate Revocation List (CRL). If the users can't get to that server, the browser assumes that the certificate issued by a trusted root authority is A-OK, uses it and by then the damage could be done.
Explains Microsoft:
Even when CRL and OCSP validation is enabled, validation techniques are not sufficiently robust to guarantee that users are protected against malicious use of these certificates. When the CRL location and OCSP responder can be reached, validation checks are highly reliable and effective.
However, when certificate revocation checks fail due to network and connectivity issues, browsers and other client applications, including Internet Explorer, may ignore these errors and consider the certificate trustworthy due to the lack of proof otherwise. In these scenarios, customers may still be affected.
Microsoft says it has not seen any attacks in the wild. Nevertheless, its Windows patch will be pushed out to users of its Windows Automatic Updates to ensure that the fraudulent certificates are not treated by IE as if they were valid. For enterprises that don't use Automatic Updates, the patch is available from the Microsoft Download Center.
The patch does not require a reboot. Here is more information on Security Advisory 2524375.
http://www.networkworld.com/community/blog/microsoft-warns-hack-attempt-windows-live-goo?source=NWWNLE_nlt_daily_pm_2011-03-23
Comments
Post a Comment