Microsoft Warning: Hackers Using Counterfeit Digital Certificates To Spoof Popular Websites
July 11, 2014

Microsoft Warning: Hackers Using Counterfeit Digital Certificates To Spoof Popular Websites

Peter Suciu for - Your Universe Online

Users of Microsoft's Windows Internet Explorer – as well as other Windows applications – could be at risk by attacks that utilize counterfeit encryption certificates that allow for "spoof" sites to resemble the real deal. Hackers are using these counterfeit encryption certificates to fill in for legitimate credentials for such popular online destinations as Google, Yahoo and other Internet properties.

"Microsoft is aware of improperly issued SSL certificates that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks," the company posted on its Security TechCenter site on Thursday. "The SSL certificates were improperly issued by the National Informatics Centre (NIC), which operates subordinate CAs under root CAs operated by the Government of India Controller of Certifying Authorities (CCA), which are CAs present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue."

Microsoft confirmed that these SSL certificates had been misused and issued to multiple sites including Google web properties.

As a matter of caution Microsoft recommended that "An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8 or Windows Phone 8.1. For these operating systems or devices, customers do not need to take any action because the CTL will be updated automatically."

This week, however, it was Google that first responded to the issue in a post on its online security blog.

"On Wednesday, July 2, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by the National Informatics Centre (NIC) of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA)," wrote Adam Langley, security engineer at Google. "The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. Firefox is not affected because it uses its own root store that doesn't include these certificates."

Langley added that the CCA confirmed that the counterfeit certificates were in fact the result of a compromise of NIC's certificate issuance process.

"Interestingly enough, it was the Google Chrome security team that originally spotted and blocked the unsafe domains emanating from the Government of India Controller of Certifying Authorities (CCA)," said Charles King, principal analyst at Pund-IT. "But they also noticed that Microsoft's Trusted Root Store did include the CCA – thus allowing access to the domains. They then alerted Microsoft which, in its updated advisory, thanked Google for the warning."

At present, Google may find itself in the clear, but yet, "matters for Microsoft may be considerably more difficult," reported Dan Goodin for Ars Technica on Wednesday. "The CCA issues huge numbers of legitimate certificates. Revoking the entire root certificate in Windows comes at the risk of breaking large parts of the Internet. Unless Microsoft engineers have the granular control Google has to permit and block specific subdomains included in a given root certificate, they may be forced to revoke individual certificates."

The issue of those certificates is apparently being resolved.

A Microsoft spokesperson provided the following statement to ZDnet on Thursday: "We have been working diligently on the mis-issued third-party certificates and have untrusted the related Subordinate Certification Authority certificates to ensure that our customers remain protected. Customers with automatic updates enabled do not need to take any action to remain protected. For more details refer to Security Advisory 2982792."

This is also a rare case where two tech giants, which can often find themselves at odds, do need each other to ensure the safety of their respective customers – who may even be customers of both companies.

"In essence, this story reflects the way security issues should and can be addressed by commonly involved organizations that may otherwise be fierce competitors," Pund-IT's King told redOrbit. "At the end of the day, keeping Internet users safe should be the overriding concern, and both Google and Microsoft deserve kudos for discovering and resolving the problem in a thoroughly adult and professional manner."