Microsoft has warned that a counterfeit SSL certificate has been issued for its live.fi domain, and could be used to launch convincing man-in-the-middle attacks on any version of Windows.
“Microsoft is aware of an improperly issued SSL certificate for the domain ‘live.fi’ that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks,” Microsoft stated in an advisory. “It cannot be used to issue other certificates, impersonate other domains, or sign code… Microsoft is not currently aware of attacks related to this issue.”
The certificate, issued by Comodo, has already been revoked, but it is relatively easy to carry out attacks using revoked certificates, according to security researchers. Most browsers maintain hard-coded lists of revoked certificates in order to protect against such attacks, with Google and Mozilla expected to release updates for their browsers imminently.
Certain versions of Windows – Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012 and Windows Server 2012 R2, as well as Windows Phone 8 and Windows Phone 8.1 – include an automatic updater of revoked certificates, so that users of those systems don’t need to take any action, Microsoft said.
Users of other versions of Windows can install the automatic updater themselves, or, if they don’t wish to do so, can manually install the update in question to remove the trust of the revoked certificate, according to Microsoft.
Privileged email account
The company didn't specify exactly how the certificate came to be issued in the first place, only stating that the incident involved a “misconfigured privileged email account”.
“An email account was able to be registered for the live.fi domain using a privileged username, which was subsequently used to request an unauthorised certificate for that domain,” Microsoft stated.
Such email accounts typically include those beginning with admin, administrator, postmaster, hostmaster or webmaster, according to Comodo.
The incident highlights one of the weaknesses in the SSL system used to encrypt most sensitive web traffic – the ease with which it is possible to obtain fraudulent certificates, compared to the relative difficulty of removing trust in such certificates.
In most browsers, if information regarding the trust in a certificate can’t be obtained, the browser will by default treat the certificate as trusted. As security researchers have demonstrated, that means attacks can be carried out using untrusted certificates by simply suppressing the response that indicates to the browser that the certificate has been revoked.