Microsoft warns of fake SSL certificate for Windows Live

Microsoft has warned that a fake security certificate has been issued for the Windows Live domain that could be abused by attackers

Microsoft has warned that an SSL certificate for the domain has been “improperly issued” and could be used to spoof content and perform phishing attacks or man in the middle attacks.

“It cannot be used to issue other certificates, impersonate other domains or sign code,” the company said in a security advisory.

All supported versions of Microsoft’s Windows operating system are vulnerable, but the fake certificate will be revoked for all subscribers to Microsoft’s automatic update service.

The fake certificate has been revoked by the issuing certificate authority and Microsoft has updated the Certificate Trust List for all supported versions of Windows, the software firm said.

Industry pundits expect Google and Mozilla to issue updates for the Chrome and Firefox browsers in the coming days.

However, Microsoft said customers running Windows Server 2003 or who choose not to install the automatic updater of revoked certificates, Microsoft recommends that the 2917500 update be applied immediately using update management software, by checking for updates using the Microsoft Update service, or by downloading and applying the update manually.

Read more about SSL vulnerabilities

Vulnerabilities in SSL methods

Microsoft plans to release the update for supported editions of Windows Server 2003 on 19 March 2015.

Security commentators have also warned that because of flaws in current SSL revocation methods, attackers may still be able to maliciously use the certificate against unsuspecting users.

Microsoft's advisory suggests the forgery was the result of someone obtaining an email address that is typically reserved for website operators to demonstrate their control of given domain.

“A certificate was improperly issued due to a misconfigured privileged email account on the domain. An email account was able to be registered for the domain using a privileged username, which was subsequently used to request an unauthorised certificate for that domain,” the advisory said.

This highlights another weakness in the system, because it means that anyone who can hijack a privileged account can use it to apply for a validated certificate.

Microsoft’s scramble to revoke trust in the secure sockets layer/transport layer security certificate for its Windows Live domain is the latest in a series of weaknesses SSL/TLS, the technology that was designed to keep online transactions secure.

Apple patched a critical SSL flaw in iOS and Mac OS about a year ago, but that has since been followed by other SSL flaws better known as HeartbleedPoodle, Superfish, PrivDog and the Freak vulnerability.

Read more on Hackers and cybercrime prevention

Data Center
Data Management