Feeds

Dodgy Google, Yahoo! SSL certs nuked in Windows – finally

Tools for snooping on google.com, gmail.com and yahoo.com users knackered

Providing a secure and efficient Helpdesk

One week after Google spotted an SSL certificate issuer dishing out certs that could be used to impersonate Google and Yahoo! websites, Microsoft has taken action to block the illicit certificates from being used on its software.

The certs, issued by India's National Informatics Centre (NIC), were detected on July 2 by Google's security team, which alerted the country's certification authorities and Microsoft, since the Microsoft Root Store trusts NIC's certs. Now Microsoft is moving on the issue.

"Today, we are updating the Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of mis-issued third-party digital certificates," said Dustin Childs, group manager of response communications. "These certificates could be used to spoof content and perform phishing or man-in-the-middle attacks against web properties."

Microsoft said it hadn't detected any of the now-revoked certificates being used to carry out eavesdropping on encrypted web traffic, and the CTL update has been pushed out to all users who have automatic updates enabled. For those who don’t, Microsoft has released a patch that can be manually installed.

The update covers all Microsoft PC operating systems from Vista onward, and its Windows Phone 8 software. Server 2003 users are, however, out of luck for the moment – Microsoft says it will issue an update as soon as one becomes available. Server 2003 support ends next year, but hopefully a fix will be out before then.

Redmond also thanked Googler Adam Langley and the Google Chrome Security Team for bringing the matter to its attention. The list of affected domains can be found here. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.