Browser vendors block 'active attacks' using fraudulent digital cert

[nsane.forums]

Microsoft joined Google and Mozilla in withdrawing the trust of digital certificates used in man-in-the-middle/spoofing attacks against the *google.com domain.

Microsoft, Google and Mozilla separately nuked the trust of digital certificates issued by a Turkish certificate authority after spotting man-in-the-middle/spoofing attacks against the Google.com domain.

In a security advisory, Microsoft said it was aware of "active attacks" using a fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Store of all the major web browsers.

The severity of the issue was heightened when TURKTRUST confirmed it incorrectly created two subsidiary CA for the Turkish government (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org). The two intermediate CAs were issued since Auguest 2011.

"The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties," Microsoft warned.

In a separate warning, Google said its Chrome browser detected and blocked an unauthorized digital certificate for the "*.google.com" domain.

"We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to TURKTRUST, a Turkish certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate," the company said.

Google has since updated Chrome’s certificate revocation metadata to block that intermediate CA. Given the severity of this ussue, Google plans to update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TURKTRUST.

Mozilla also joined the other browser vendors in addressing this problem. Mozilla director of security assurance Michael Coates said the open-source group will revoke the trust for the two mis-issued certificates in the next Firefox update due on Tuesday 8th January.

View: Original Article

[DKT27]

Microsoft updates Windows digital certificate list to defeat hackers

Microsoft has announced it has launched an update for the Certificate Trust list for all supported versions of Windows to remove one false digital certificate that has been used in hacker attacks.



Microsoft is making a quick move to update all of its supported versions of Windows in order to stop an known hacker attack. The company issued a security bulletin today that announced the release of a new version of its Certificate Trust list.

The security bulletin announced that Microsoft has been alerted that a digital certificate issued by TURKTRUST was a fraud. The message states:

This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

In addition, TURKTRUST mistakenly issued two subsidiary CAs that were used to created a false digital certificate for Google's main domain, which can also open the door for hackers to perform similar attacks on a number of Google's web services.

Microsoft has now updated its Certificate Trust list and is " ... providing an update for all supported releases of Microsoft Windows that removes the trust of certificates that are causing this issue." PCs that have automatic updates set up do not need to do anything. However, PCs that have Windows XP and Windows Server 2003 installed that don't have the automatic updater set up should go ahead and download the update manually.

View: Original Article