Executive Summary
Summary | |
---|---|
Title | Improperly Issued Digital Certificates Could Allow Spoofing |
Informations | |||
---|---|---|---|
Name | KB2916652 | First vendor Publication | 2013-12-09 |
Vendor | Microsoft | Last vendor Modification | 2014-01-15 |
Severity (Vendor) | N/A | Revision | 2.1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | Not Defined | Attack Range | Not Defined |
Cvss Impact Score | Not Defined | Attack Complexity | Not Defined |
Cvss Expoit Score | Not Defined | Authentication | Not Defined |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft is aware of an improperly issued subordinate CA certificate that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The subordinate CA certificate was improperly issued by the Directorate General of the Treasury (DG Trsor), subordinate to the Government of France CA (ANSSI), which is a CA present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue. The improperly issued subordinate CA certificate has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. The subordinate CA certificate may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks. To help protect customers from potentially fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue. For more information about these certificates, see the Frequently Asked Questions section of this advisory. Recommendation. An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8. For these operating systems and devices, customers do not need to take any action as these systems and devices will be automatically protected. For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action as these systems will be automatically protected. For customers running Windows XP or Windows Server 2003, or for customers who choose not to install the automatic updater of revoked certificates, Microsoft recommends that the 2917500 update be applied immediately using update management software, by checking for updates using the Microsoft Update service, or by downloading and applying the update manually. For more information, see the Suggested Actions section of this advisory. For more information about this issue, see the following references: This advisory discusses the following software. What is the scope of the advisory? What caused the issue? Does this update address any other digital certificates? What is cryptography? In all forms of cryptography, a value known as a key is used in conjunction with a procedure called a crypto algorithm to transform plaintext data into ciphertext. In the most familiar type of cryptography, secret-key cryptography, the ciphertext is transformed back into plaintext using the same key. However, in a second type of cryptography, public-key cryptography, a different key is used to transform the ciphertext back into plaintext. What is a digital certificate? What are certificates used for? What is a certification authority (CA)? What is a Certificate Trust List (CTL)? What might an attacker do with these certificates? What is a man-in-the-middle attack? What is Microsoft doing to help with resolving this issue? After applying the update, how can I verify the certificates in the Microsoft Untrusted Certificates Store? For systems not using the automatic updater of revoked certificates, in the Certificates MMC snap-in, verify that the following certificate has been added to the Untrusted Certificates folder: Note For information on how to view certificates with the MMC Snap-in, see the MSDN article, How to: View Certificates with the MMC Snap-in. Apply the update for supported releases of Microsoft Windows An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8. For these operating systems or devices, customers do not need to take any action because the CTL will be updated automatically. For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action because the CTL will be updated automatically. For customers running Windows XP or Windows Server 2003, or for customers who choose not to install the automatic updater of revoked certificates, Microsoft recommends that the 2917500 update be applied immediately using update management software, by checking for updates using the Microsoft Update service, or by downloading and applying the update manually. See Microsoft Knowledge Base Article 2917500 for download links. We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center. Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed. |
Original Source
Url : http://www.microsoft.com/technet/security/advisory/2916652.mspx |
Alert History
Date | Informations |
---|---|
2014-02-17 11:38:45 |
|
2014-01-19 21:29:41 |
|
2014-01-16 00:18:27 |
|
2013-12-13 00:17:59 |
|
2013-12-09 21:18:26 |
|