Microsoft issued a warning today that nine fraudulent digital certificates were issued by root certificate authority, Comodo Group. Although the certificates were quickly revoked, their initial release still poses a threat to browser users, including users of Internet Explorer. This is not a security flaw in Microsoft software, the company says, but it released a security update for Windows all the same.
The nine fake certificates affect the following Web sites, Microsoft says:
- login.live.com (Windows Live)
- login.yahoo.com (3 certificates)
- "Global Trustee"
Fraudulent certificates give hackers the ability to spoof content, phish, or insert themselves in man-in-the-middle attacks, collecting information that users think is being sent over a secure link from browser to Web site. Browsers which have enabled the Online Certificate Status Protocol (OCSP) will automatically invalidate these certificates and block them from being used. IE7 and later supports this by default, as does Firefox 3 and later, Safari on Mac OS X (but it must be manually activated), Opera 8 and Chrome.
An alternative way for Web browsers to validate the identity of a digital certificate is by using the Online Certificate Status Protocol (OCSP). OCSP allows interactive validation of a certificate by connecting to an OCSP responder, hosted by the Certificate Authority (CA) which signed the digital certificate. Every certificate should provide a pointer to the OCSP responder location through the Authority Information Access (AIA) extension in the certificate. In addition, OCSP stapling allows the Web server itself to provide an OCSP validation response to the client.
OCSP validation is enabled by default on Internet Explorer 7 and later versions of Internet Explorer on supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. On these operating systems, if the OCSP validation check fails, the browser will validate the certificate by contacting the CRL Location. For more information on certificate revocation checking, see the TechNet article, Certificate Revocation and Status Checking.
So, if the browser will automatically check to see if the certificate is valid and, discover that it isn't, why issue a patch at all?
The OCSP system relies on being able to reach the CA's Certificate Revocation List (CRL). If the users can't get to that server, the browser assumes that the certificate issued by a trusted root authority is A-OK, uses it and by then the damage could be done.
Even when CRL and OCSP validation is enabled, validation techniques are not sufficiently robust to guarantee that users are protected against malicious use of these certificates. When the CRL location and OCSP responder can be reached, validation checks are highly reliable and effective.
However, when certificate revocation checks fail due to network and connectivity issues, browsers and other client applications, including Internet Explorer, may ignore these errors and consider the certificate trustworthy due to the lack of proof otherwise. In these scenarios, customers may still be affected.
Microsoft says it has not seen any attacks in the wild. Nevertheless, its Windows patch will be pushed out to users of its Windows Automatic Updates to ensure that the fraudulent certificates are not treated by IE as if they were valid. For enterprises that don't use Automatic Updates, the patch is available from the Microsoft Download Center.
The patch does not require a reboot. Here is more information on Security Advisory 2524375.
Like this? Here's more:
Follow me on Twitter @Julie188