Microsoft scrambles to kill Live.fi man-in-the-middle diddle
Finland, Finland, Finland, the place where hackers cracked a Microsoft admin account
Microsoft is firing off updates to kill a fake certificate that can be used to create a convincing man-in-the-middle attack against its Live services.
Certificate Authority Comodo has killed the bad cert, which it issued, and now Redmond is following suit by updating its revocation list for Windows platforms.
"Microsoft is aware of an improperly issued SSL certificate for the domain 'live.fi' that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks," the company said in an advisory today.
"It cannot be used to issue other certificates, impersonate other domains, or sign code."
Microsoft says the bad certificate was issued thanks to a misconfigured privileged email account on Microsoft's live.fi web property, which looks to be the Finnish version of its online services. Whatever the site's location and audience, that someone has accessed a privileged account there suggests that attackers had their fingers in the firstname.lastname@example.org pie before asking Comodo for a certificate.
"An email account was able to be registered for the live.fi domain using a privileged username, which was subsequently used to request an unauthorised certificate for that domain," it says.
Redmond urges users to apply automatic updates. Windows 8 users can sit back and let the built-in updater do the work, while those on Server 2008 and Windows 7 will need to install the updater, or download update 2917500.
Those that do not will remain open to convincing phishing schemes that could harvest Microsoft email credentials.
Google and Mozilla will doubtless update their browsers in the coming days to put an end to the potential p0wnage. ®