Improperly Issued Digital Certificates Could Allow Spoofing

Microsoft Security Advisory (2916652)

Improperly Issued Digital Certificates Could Allow Spoofing

Published: Monday, December 09, 2013
Version: 1.0


General Information

Executive Summary

Microsoft is aware of an improperly issued subordinate CA certificate that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The subordinate CA certificate was improperly issued by the Directorate General of the Treasury (DG Trésor), subordinate to the Government of France CA (ANSSI), which is a CA present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.

The improperly issued subordinate CA certificate has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. The subordinate CA certificate may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.

To help protect customers from potentially fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue. For more information about these certificates, see the Frequently Asked Questions section of this advisory.

Recommendation. An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8. For these operating systems and devices, customers do not need to take any action as these systems and devices will be automatically protected.

For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action as these systems will be automatically protected.

At this time, no update is available for customers running Windows XP or Windows Server 2003, or for customers who choose not to install the automatic updater of revoked certificates.

For more information, see the Suggested Actions section of this advisory.


Suggested Actions

Apply the update for supported releases of Microsoft Windows

An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8. For these operating systems or devices, customers do not need to take any action because the CTL will be updated automatically.

For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action because the CTL will be updated automatically.

No update is available at this time for customers running Windows XP and Windows Server 2003, or for customers who choose not to install the automatic updater of revoked certificates.


Advisory Details

Additional Suggested Actions

• Protect your PC We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.
• Keep Microsoft Software Updated Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Click to expand...