Microsoft has warned that an SSL certificate for the domain live.fi has been “improperly issued” and could be used to spoof content and perform phishing attacks or man in the middle attacks.
“It cannot be used to issue other certificates, impersonate other domains or sign code,” the company said in a security advisory.

All supported versions of Microsoft’s Windows operating system are vulnerable, but the fake certificate will be revoked for all subscribers to Microsoft’s automatic update service.
The fake certificate has been revoked by the issuing certificate authority and Microsoft has updated the Certificate Trust List for all supported versions of Windows, the software firm said.
Industry pundits expect Google and Mozilla to issue updates for the Chrome and Firefox browsers in the coming days.
However, Microsoft said customers running Windows Server 2003 or who choose not to install the automatic updater of revoked certificates, Microsoft recommends that the 2917500 update be applied immediately using update management software, by checking for updates using the Microsoft Update service, or by downloading and applying the update manually.

Vulnerabilities in SSL methods
Microsoft plans to release the update for supported editions of Windows Server 2003 on 19 March 2015.
Security commentators have also warned that because of flaws in current SSL revocation methods, attackers may still be able to maliciously use the certificate against unsuspecting users.
Microsoft’s advisory suggests the forgery was the result of someone obtaining an email address that is typically reserved for website operators to demonstrate their control of given domain.
“A certificate was improperly issued due to a misconfigured privileged email account on the live.fi domain. An email account was able to be registered for the live.fi domain using a privileged username, which was subsequently used to request an unauthorised certificate for that domain,” the advisory said.
This highlights another weakness in the system, because it means that anyone who can hijack a privileged account can use it to apply for a validated certificate.
Microsoft’s scramble to revoke trust in the secure sockets layer/transport layer security certificate for its Windows Live domain is the latest in a series of weaknesses SSL/TLS, the technology that was designed to keep online transactions secure.
Apple patched a critical SSL flaw in iOS and Mac OS about a year ago, but that has since been followed by other SSL flaws better known as Heartbleed, Poodle, Superfish, PrivDog and the Freak vulnerability.

Email Alerts
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Read More

Related content from ComputerWeekly.com

RELATED CONTENT FROM THE TECHTARGET NETWORK

Leave a Reply