Microsoft warns of fake SSL certificate for Windows Live
Microsoft has warned that a fake security certificate has been issued for the Windows Live domain that could be abused by attackers
Microsoft has warned that an SSL certificate for the domain live.fi has been “improperly issued” and could be used to spoof content and perform phishing attacks or man in the middle attacks.
“It cannot be used to issue other certificates, impersonate other domains or sign code,” the company said in a security advisory.
All supported versions of Microsoft’s Windows operating system are vulnerable, but the fake certificate will be revoked for all subscribers to Microsoft’s automatic update service.
The fake certificate has been revoked by the issuing certificate authority and Microsoft has updated the Certificate Trust List for all supported versions of Windows, the software firm said.
Industry pundits expect Google and Mozilla to issue updates for the Chrome and Firefox browsers in the coming days.
However, Microsoft said customers running Windows Server 2003 or who choose not to install the automatic updater of revoked certificates, Microsoft recommends that the 2917500 update be applied immediately using update management software, by checking for updates using the Microsoft Update service, or by downloading and applying the update manually.
Read more about SSL vulnerabilities
- PrivDog compromises the secure sockets layer (SSL) protocol used to secure online transactions.
- The Poodle SSL vulnerability has been patched, yet new vulnerabilities are causing concern.
- Researchers say the SSL flaw in Microsoft Windows could be worse than Heartbleed.
- Following Heartbleed, six more OpenSSL vulnerabilities have been discovered.
Vulnerabilities in SSL methods
Microsoft plans to release the update for supported editions of Windows Server 2003 on 19 March 2015.
Security commentators have also warned that because of flaws in current SSL revocation methods, attackers may still be able to maliciously use the certificate against unsuspecting users.
Microsoft's advisory suggests the forgery was the result of someone obtaining an email address that is typically reserved for website operators to demonstrate their control of given domain.
“A certificate was improperly issued due to a misconfigured privileged email account on the live.fi domain. An email account was able to be registered for the live.fi domain using a privileged username, which was subsequently used to request an unauthorised certificate for that domain,” the advisory said.
This highlights another weakness in the system, because it means that anyone who can hijack a privileged account can use it to apply for a validated certificate.
Microsoft’s scramble to revoke trust in the secure sockets layer/transport layer security certificate for its Windows Live domain is the latest in a series of weaknesses SSL/TLS, the technology that was designed to keep online transactions secure.
Apple patched a critical SSL flaw in iOS and Mac OS about a year ago, but that has since been followed by other SSL flaws better known as Heartbleed, Poodle, Superfish, PrivDog and the Freak vulnerability.