Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1757
Improperly Issued Digital Certificates Could Allow Spoofing
10 December 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Windows
Windows Phone 8
Publisher: Microsoft
Operating System: Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows Server 2012
Mobile Device
Impact/Access: Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
Original Bulletin:
http://technet.microsoft.com/en-us/security/advisory/2916652
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Advisory (2916652)
Improperly Issued Digital Certificates Could Allow Spoofing
Published: Monday, December 09, 2013
Version: 1.0
General Information
Executive Summary
Microsoft is aware of an improperly issued subordinate CA certificate that
could be used in attempts to spoof content, perform phishing attacks, or
perform man-in-the-middle attacks. The subordinate CA certificate was
improperly issued by the Directorate General of the Treasury (DG Trsor),
subordinate to the Government of France CA (ANSSI), which is a CA present in
the Trusted Root Certification Authorities Store. This issue affects all
supported releases of Microsoft Windows. Microsoft is not currently aware of
attacks related to this issue.
The improperly issued subordinate CA certificate has been misused to issue SSL
certificates for multiple sites, including Google web properties. These SSL
certificates could be used to spoof content, perform phishing attacks, or
perform man-in-the-middle attacks against several Google web properties. The
subordinate CA certificate may also have been used to issue certificates for
other, currently unknown sites, which could be subject to similar attacks.
To help protect customers from potentially fraudulent use of this digital
certificate, Microsoft is updating the Certificate Trust list (CTL) for all
supported releases of Microsoft Windows to remove the trust of certificates
that are causing this issue. For more information about these certificates,
see the Frequently Asked Questions section of this advisory.
Recommendation. An automatic updater of revoked certificates is included in
supported editions of Windows 8, Windows 8.1, Windows Server 2012, and Windows
Server 2012 R2, and for devices running Windows Phone 8. For these operating
systems and devices, customers do not need to take any action as these systems
and devices will be automatically protected.
For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows
Server 2008 R2 that are using the automatic updater of revoked certificates
(see Microsoft Knowledge Base Article 2677070 for details), customers do not
need to take any action as these systems will be automatically protected.
At this time, no update is available for customers running Windows XP or
Windows Server 2003, or for customers who choose not to install the automatic
updater of revoked certificates.
For more information, see the Suggested Actions section of this advisory.
Advisory Details
Affected Software
This advisory discusses the following software.
Affected Software
Operating System
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012
Windows Server 2012 R2
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 R2 for x64-based Systems (Server Core installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)
Affected Devices
Windows Phone 8
Suggested Actions
Apply the update for supported releases of Microsoft Windows
An automatic updater of revoked certificates is included in supported editions
of Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2, and
for devices running Windows Phone 8. For these operating systems or devices,
customers do not need to take any action because the CTL will be updated
automatically.
For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows
Server 2008 R2 that are using the automatic updater of revoked certificates
(see Microsoft Knowledge Base Article 2677070 for details), customers do not
need to take any action because the CTL will be updated automatically.
No update is available at this time for customers running Windows XP and Windows
Server 2003, or for customers who choose not to install the automatic updater of
revoked certificates.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUqZsgRLndAQH1ShLAQI2UQ//ZNmQppzwckZnBu7tfLiQR2frg33GomFV
die0o6hLE84vQlY9jSAGwJD6yMSD4cX4MrbbS1pNp7Fg7VfYzJkfsukQ+tUDHFJp
7qmOdUHX7Hac7iRRyZwpYW6N4sdpIUKIXLXDG/KvFO+J8Cb03/LTRkg8NMhCZttX
dCyXyaXfQuODG6k4wrfF1oB3MbQ5rjma3N6gmiCVh9evYo+VhDiwX34rrBSbZ+2e
vixYKTw+QM6rqxtXaM1aHRZ+aIQlR2eDdB39UjUiWEEK8Y2wO4Ap43SvWJhgmamD
d428Zo3nyYXEAlF+LGZg4M8KWntxsc8Jiq9VXEX2a9GYIQdu4l9q7wj86IVmXtsp
bqpO9GzTiTFB8az/Ni5/QE4tPPawSF6F3VhjINI+MGaribwJEC7ACHyfXXQJ5Nht
gpHODWFLbNhRpijl65DL+Aw4vdxs8uGP7zGe6lCNEu2yFviQNRfd/3oMXmwBUjue
iVTS0JL6rIV8i2zsmRt4a4vQQMAH1SYzg2JC1i+bsI7LAnnGAeUn38XNFWmTqLvA
Ch71exbPH8TvC/4/7sPutiJ2YCFcg3nulHfRgFGEuCqdRMkdg48coOvgJssxCG2g
nyXwUPbwhFWeRHdFVOoPmgwXewWLP9ajGXSzJbykWrMLM7LfgKY+a89XXG8f2pva
xJBa+xnUPDc=
=W6A7
-----END PGP SIGNATURE-----