Microsoft today released a new Security Advisory, related to Improperly Issued Certificates which could allow spoofing. These digital certificates were improperly issued from the subordinate CA, MCS Holdings, which could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The improperly issued certificates can however not be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows, but the Certificate Trust List for Windows 8 and Server 2012 and later will be updated automatically.

To help protect customers from the potentially fraudulent use of these improperly issued certificates, Microsoft is updating the Certificate Trust List (CTL) to remove the trust of the subordinate CA certificate. The trusted root Certificate Authority, the China Internet Network Information Center (CNNIC), has also revoked the certificate of the subordinate CA. Microsoft is working on an update for Windows Server 2003 customers and will release it once fully tested. For more information about these certificates, see the Frequently Asked Questions section of this advisory.

Call to action:

An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2, and for devices running Windows Phone 8 and Windows Phone 8.1. For these operating systems or devices, customers do not need to take any action, because the CTL will be updated automatically.
For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action, because these systems will be automatically protected.

Review Microsoft Security Advisory 3050995 for additional details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQ), and links to additional resources

Leave a Reply