Improperly issued SSL certificates could allow spoofing, affects Windows 8.1 and Windows Phone 8.1

Ron

Improperly issued SSL certificates could allow spoofing, affects Windows 8.1 and Windows Phone 8.1

Microsoft has revoked “improperly issued” SSL certificates that could allow for spoofing, the company stated today. The issue (KB2982792) affects all versions of Windows, including Windows 8.1 and even Windows Phone 8.1. But, have no fear, there is no action to take if you are using the latest version of Windows.

“Microsoft is aware of improperly issued SSL certificates that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The SSL certificates were improperly issued by the National Informatics Centre (NIC), which operates subordinate CAs under root CAs operated by the Government of India Controller of Certifying Authorities (CCA), which are CAs present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue,” Microsoft stated.

The SSL certificates were being improperly issued for Google web properties, as well as other sites. In fact, 45 certificates were issued by the National Informatics Center (Certificate Authority of the Government of India Controller of Certifying Authorities). These SSL certificates could be used to spoof content, perform phishing attacks, or worse.

A spoofing attack, for those that did not know, is when a malicious party impersonates another device or user on a network in order to launch attacks against network hosts, steal data, spread malware, or bypass access controls.

Microsoft has already revoked these certificates and has updated the Certificate Trust List (CTL) for all supported releases of Windows, including Windows 8.1, Windows 8, Windows RT, Windows Phone 8, and Windows Phone 8.1. No action is needed as the update was automatically conducted. Those on Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 must be using the automatic updater of revoked certificates in order to update automatically.

No update is available for customers running Windows Server 2003 or Windows XP.