Executive Summary
Summary | |
---|---|
Title | Fraudulent Digital Certificates Could Allow Spoofing |
Informations | |||
---|---|---|---|
Name | KB2798897 | First vendor Publication | 2013-01-03 |
Vendor | Microsoft | Last vendor Modification | 2013-01-14 |
Severity (Vendor) | N/A | Revision | 1.1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | Not Defined | Attack Range | Not Defined |
Cvss Impact Score | Not Defined | Attack Complexity | Not Defined |
Cvss Expoit Score | Not Defined | Authentication | Not Defined |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft is aware of active attacks using one fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Store. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows. TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. To help protect customers from the fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) and is providing an update for all supported releases of Microsoft Windows that removes the trust of certificates that are causing this issue. For more information about these certificates, see the Frequently Asked Questions section of this advisory. Recommendation. For systems using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), including Windows 8, Windows RT, Windows Server 2012, and devices running Windows Phone 8, no action is needed as these systems will be automatically protected. For Windows XP and Windows Server 2003 customers or customers who choose not to install the automatic updater of revoked certificates, Microsoft recommends that the 2798897 update be applied immediately using update management software, by checking for updates using the Microsoft Update service, or by downloading and applying the update manually. For more information, see the Suggested Actions section of this advisory. For more information about this issue, see the following references: This advisory discusses the following affected software and devices. What is the scope of the advisory? For Windows XP and Windows Server 2003 customers, customers who have not installed Microsoft Knowledge Base Article 2677070, or for any disconnected systems unable to connect to Microsoft Update, an update for all supported releases of Microsoft Windows is available that addresses the issue. What caused the issue? During the investigation, the *.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org certificates were identified as having been issued incorrectly; they lacked CRL or OCSP extensions and were incorrectly issued as end-entity certs. Therefore, as a precautionary measure, we are revoking the trust of these certificates as well. Does this update address any other digital certificates? What is cryptography? In all forms of cryptography, a value known as a key is used in conjunction with a procedure called a crypto algorithm to transform plaintext data into ciphertext. In the most familiar type of cryptography, secret-key cryptography, the ciphertext is transformed back into plaintext using the same key. However, in a second type of cryptography, public-key cryptography, a different key is used to transform the ciphertext back into plaintext. What is a digital certificate? What are certificates used for? What is a certification authority (CA)? What is a Certificate Trust List (CTL)? What might an attacker do with these certificates? What is a man-in-the-middle attack? What is Microsoft doing to help with resolving this issue? After applying the update, how can I verify the certificates in the Microsoft Untrusted Certificates Store? For systems not using the automatic updater of revoked certificates, in the Certificates MMC snap-in, verify that the following certificates have been added to the Untrusted Certificates folder: Note For information on how to view certificates with the MMC Snap-in, see the MSDN article, How to: View Certificates with the MMC Snap-in. For supported releases of Microsoft Windows The customers that have the automatic updater of revoked certificates (Microsoft Knowledge Base Article 2677070) will not need to take any action because the CTL will be updated automatically. Note Devices running Windows Phone 8 contain the automatic updater of revoked certificates and will be updated automatically. For administrators and enterprise installations who want to be automatically protected by using the automatic updater of revoked certificates, review Microsoft Knowledge Base Article 2677070 to help ensure it is appropriate for your environment as disconnected systems or environments with strict egress filtering require additional consideration. For Windows XP and Windows Server 2003 customers or customers who choose not to install the automatic updater of revoked certificates, Microsoft recommends that the 2798897 update be applied immediately using update management software, by checking for updates using the Microsoft Update service, or by downloading and applying the update manually. See Microsoft Knowledge Base Article 2798897 for download links. We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center. Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed. |
Original Source
Url : http://www.microsoft.com/technet/security/advisory/2798897.mspx |
Alert History
Date | Informations |
---|---|
2014-02-17 11:38:41 |
|
2014-01-19 21:29:40 |
|
2013-02-06 19:08:07 |
|
2013-01-15 05:20:55 |
|
2013-01-15 05:19:07 |
|
2013-01-03 21:19:53 |
|
2013-01-03 21:17:55 |
|