Microsoft has recently noticed some fake digital certificates that impersonated Google and Yahoo; and there might be some hidden bogus certificates still floating around, waiting to be discovered. To keep things safe, the tech giant has issued an urgent update for many versions of Windows.
In the new update, Microsoft has eliminated trust for the digital certificates that had been issued by an Indian government agency.
These certificates allowed fake Google and Yahoo domains and exposed Windows users to the risk of man-in-the-middle attacks. Google has also taken a note of this and blocked unauthorized digital certificates for many Google domains issued by the NIC (National Informatics Center) of India. Google has posted a warning that there might be a potential serious privacy and security threat that can affect Windows users, due to the wrongly issued SSL certificates. These certificates can let an attacker spy on an encrypted communication channel between a secure HTTPS site and a user’s device.
Interestingly, this is not the first time something like this has happened. Last year in December, Google announced rogue SSL certificates issued by a French agency.
Here’s How It Happened
NIC holds subordinate or intermediate certificates that are trusted by the Controller of Certificate Authority (CCA) of India. These certificates are incorporated in the Microsoft Root Store. This means that the applications that run on Windows were exposed to risks resulting from the fraudulent certificates.
Putting it in simple words, if you were using Internet Explorer on your Windows system, and wanted to visit a Google owned domain, you could be taken to a bogus website. Chrome was also being exposed to the risk. However, Firefox users were safe as their browser has a root store of its own and does not include these certificates.
A Microsoft spokesman said that it is working on the security mechanism, “We have been working diligently on the mis-issued third-party certificates and have untrusted the related Subordinate Certification Authority certificates to ensure that our customers remain protected. Customers with automatic updates enabled do not need to take any action to remain protected.”
Microsoft also published an advisory, explaining that the rogue certificates could be fraudulently used to perform phishing attacks, spoof content, or execute man-in-the-middle attacks.
Updates Are Available For Microsoft Customers
Many Windows computers, including those running on version 8 and 8.1, and Windows phones 8 and 8.1, will receive an update of certificate revocation.
The automatic Windows updater will update the certificate list, so the users don’t have to take any action. However, if you are working on Windows Vista or an older version, you wouldn’t have the automatic updater. Such users can install it by following these instructions. There’s bad news for the users of Windows Server 2003 though, as WS2003 cannot run the updater to remove the bogus certificates.
The advisory issued by Microsoft flagged 45 URLs that were susceptible to spoofing attacks due to the counterfeit certificates. These certificates covered several subdomains of Google, Yahoo, Yahooapis, Yahoo-inc.com, Gstatic.com, and Static.com. The new update is unscheduled and will hardwire the revocation of these certificates into Windows. This will make bypassing the real-time checks that are performed by the OCSP (Online Certificate Status Protocol) even more difficult.
Although there are chances that hackers might have generated more fake certificates covering other domains as well, the update will cover just the ones that have been discovered. This update will revoke trust in the intermediate certificates issued by the NIC, which could create problems if people attempt to access an SSL-protected site that relies on an NIC intermediate certificate.
If Microsoft had updated the trusted certificate list to remove all certificates issued by CCA, it would have made the systems safer.
That would have eliminated the chances of problems being created by any undiscovered certificates. However, this move would have made many legit sites show SSL errors. To make sure there are no more complications, Microsoft has currently revoked only the fraudulent certificates that have been discovered so far.
What Should Windows Users Do?
If you are using Windows, make sure that your system is updated. However, even after the update, you would remain susceptible to the bogus certificates that are yet undiscovered. Cautious Windows users can access SSL-protected domains through the Thunderbird email application or Firefox browser. These applications do not depend on Microsoft’s trusted certificates list. Apart from that, Windows users can get added protection from the Enhanced Mitigation Experience Toolkit by Microsoft.
People using Linux and Mac OS X are immune to these attacks since they don’t trust the Indian CA authorized sites. However, Windows users have no reason to panic, as the bug has already been found and taken care of. Microsoft engineers are working on ways to make sure that the undetected bogus certificates do not cause a problem.