Microsoft updated its Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of mis-issued third-party digital certificates.
According to Dustin Childs, group manager, response communications at Microsoft, these certificates could have been used to spoof content and perform phishing or man-in-the-middle attacks against web properties. “With this update, most customers will be automatically protected against this issue and will not need to take any action,” he said.
“If you do not have automatic updates enabled, or if you are on Windows Server 2003, please see the Security Advisory 2982792 for recommended actions. Additionally, the Enhanced Mitigation Experience Toolkit (EMET) 4.1, and newer versions, help to mitigate man-in-the-middle attacks by detecting untrusted or improperly issued SSL certificates through the Certificate Trust feature.”
Commenting, Craig Young, security researcher at Tripwire, said this underscores the key risks of using public key infrastructure (PKI) to ensure the authenticity of a remote party.
“The system we use for securing websites is based on the network of trusted certificate authorities and subordinate authorities. When any one of these authorities is controlled by someone with malicious intentions it’s possible to impersonate services such as web sites, email and file transfer. The malicious possibilities are limitless,” he said.
“This problem is compounded by the fact that computers and SSL systems are designed to trust a long list of authorities. We’ve seen certificate authorities get compromised and used to sign counterfeit certificates several times in the recent past. This is why SSL implementations should always use revocation lists.”
Tyler Reguly, manager of security research at Tripwire, said: “This is a fairly minor security concern that will address itself for most users because most certificates will be revoked automatically on most modern Windows systems. Users that have disabled CRL updates or have systems that are disconnected from the internet may need to take additional manual steps based on the advisory data.
“It is always unfortunate when this happens but the advisory is basically the end of the problem. Once the certificates are added to the CRL, the problem becomes moot. It’s when people are unaware of the issue that it cause harm. This is one of the inherent risks in the current system we use; it’s possible for mistakes and malicious actions to lead to improperly issued certificates.”