Dodgy Google, Yahoo! SSL certs nuked in Windows – finally
Tools for snooping on google.com, gmail.com and yahoo.com users knackered
One week after Google spotted an SSL certificate issuer dishing out certs that could be used to impersonate Google and Yahoo! websites, Microsoft has taken action to block the illicit certificates from being used on its software.
The certs, issued by India's National Informatics Centre (NIC), were detected on July 2 by Google's security team, which alerted the country's certification authorities and Microsoft, since the Microsoft Root Store trusts NIC's certs. Now Microsoft is moving on the issue.
"Today, we are updating the Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of mis-issued third-party digital certificates," said Dustin Childs, group manager of response communications. "These certificates could be used to spoof content and perform phishing or man-in-the-middle attacks against web properties."
Microsoft said it hadn't detected any of the now-revoked certificates being used to carry out eavesdropping on encrypted web traffic, and the CTL update has been pushed out to all users who have automatic updates enabled. For those who don’t, Microsoft has released a patch that can be manually installed.
The update covers all Microsoft PC operating systems from Vista onward, and its Windows Phone 8 software. Server 2003 users are, however, out of luck for the moment – Microsoft says it will issue an update as soon as one becomes available. Server 2003 support ends next year, but hopefully a fix will be out before then.
Redmond also thanked Googler Adam Langley and the Google Chrome Security Team for bringing the matter to its attention. The list of affected domains can be found here. ®