Microsoft has issued an emergency security update – “Improperly Issued Digital Certificates Could Allow Spoofing” – just two days after its regular monthly Patch Tuesday release cycle in order to address forged security certificates that could have been used to spoof Google and Yahoo websites.
The forged certificates had been generated by India’s National Informatics Centre (NIC) and were detected by Google’s security team at the beginning of this month.
Whilst Google’s own products did not trust the Government of India Controller of Certifying Authorities (CCA), under which the NIC operates subordinate certifying authorities, Microsoft’s Trusted Root Store did.
All in, it was determined that attackers had issued at least 45 certificates after gaining access to the NIC generation systems, giving them the ability to potentially spoof search engines, banks, email providers and credit card processors.
“The Microsoft advisory about fake Google and Yahoo certificates in the wild underscores the key risks of using public key infrastructure (PKI) to ensure the authenticity of a remote party. The system we use for securing websites is based on the network of trusted certificate authorities and subordinate authorities. When any one of these authorities is controlled by someone with malicious intentions it’s possible to impersonate services such as web sites, email, and file transfer. The malicious possibilities are limitless.
This problem is compounded by the fact that computers and SSL systems are designed to trust a long list of authorities. We’ve seen certificate authorities get compromised and used to sign counterfeit certificates several times in the recent past. This is why SSL implementations should always use revocation lists.
One of the best ways to protect users from this type of threat is through the use of pinned certificates. This is a deployment in which software is designed to require specific certificates instead of allowing any certificate signed by a ‘trusted’ authority. This practice is used in the Gmail app for Android, for example. Unfortunately this approach does not scale for general web browsing. To protect themselves from these kinds of incidents users may want to remove trust for regional certificate authorities that aren’t needed in the user’s locale.”
Craig Young, security researcher
Dustin Childs, group manager of response communications explained that the rogue certificates could be used not only to spoof content but also to perform phishing or man-in-the-middle attacks against web properties, with Google adding that “The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.”
The security update is being pushed out automatically to all users of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012 and Windows Server 2012 R2. Users of other versions of the operating system going back to Vista are also covered if they have the automatic updater of revoked certificates installed. Users of Vista or newer versions of Windows that run in a disconnected environment can install update 2813430.
Accordingly, Tyler Reguly, Tripwire’s manager of security research said:
“This is a fairly minor security concern that will address itself for most users because most certificates will be revoked automatically on most modern Windows systems.
Users that have disabled CRL updates or have systems that are disconnected from the Internet may need to take additional manual steps based on the advisory data.
It is always unfortunate when this happens but the advisory is basically the end of the problem. Once the certificates are added to the CRL, the problem becomes moot. It’s when people are unaware of the issue that it cause harm.
This is one of the inherent risks in the current system we use; it’s possible for mistakes and malicious actions to lead to improperly issued certificates.”
Further information, along with a list of the affected domains, can be found on Technet.