Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0745 Microsoft Security Advisory 3050995 Improperly Issued Digital Certificates Could Allow Spoofing 26 March 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Windows Publisher: Microsoft Operating System: Windows Server 2003 Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Windows 8 Windows Server 2012 Windows RT Windows 8.1 Windows Server 2012 R2 Windows RT 8.1 Impact/Access: Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade Reference: ESB-2015.0638.2 Original Bulletin: https://technet.microsoft.com/library/security/3050995 - --------------------------BEGIN INCLUDED TEXT-------------------- Microsoft Security Advisory 3050995 Improperly Issued Digital Certificates Could Allow Spoofing Published: March 24, 2015 Version: 1.0 Executive Summary Microsoft is aware of digital certificates that were improperly issued from the subordinate CA, MCS Holdings, which could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The improperly issued certificates cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. To help protect customers from the potentially fraudulent use of these improperly issued certificates, Microsoft is updating the Certificate Trust list (CTL) to remove the trust of the subordinate CA certificate. The trusted root Certificate Authority, the China Internet Network Information Center (CNNIC), has also revoked the certificate of the subordinate CA. Microsoft is working on an update for Windows Server 2003 customers and will release it once fully tested. For more information about these certificates, see the Frequently Asked Questions section of this advisory. Recommendation. Please see the Suggested Actions section of this advisory for instructions on applying an update for specific releases of Microsoft Windows. Advisory Details For more information about this issue, see the following references: References Identification Microsoft Knowledge Base Article 3050995 Affected Software This advisory discusses the following software. Operating System Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows Server 2012 Windows RT Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 R2 Windows RT 8.1 Server Core installation option Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) Affected Devices Windows Phone 8 Windows Phone 8.1 Advisory FAQ What is the scope of the advisory? The purpose of this advisory is to notify customers that MCS Holdings improperly issued SSL certificates for multiple sites including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties. The subordinate CA may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks. What caused the issue? The issue was caused by MCS Holdings, a subordinate CA, improperly issuing domain certificates to entities other than their owners. The MCS Holdings authority is subordinated to the China Internet Network Information Center (CNNIC), which is a CA present in the Trusted Root Certification Authorities Store. Does this update address any other digital certificates? Yes, in addition to addressing the certificates described in this advisory, this update is cumulative and includes digital certificates described in previous advisories: Microsoft Security Advisory 3046310 Microsoft Security Advisory 2982792 Microsoft Security Advisory 2916652 Microsoft Security Advisory 2798897 Microsoft Security Advisory 2728973 Microsoft Security Advisory 2718704 Microsoft Security Advisory 2641690 Microsoft Security Advisory 2607712 Microsoft Security Advisory 2524375 What is cryptography? Cryptography is the science of securing information by converting it between its normal, readable state (called plaintext) and one in which the data is obscured (known as ciphertext). In all forms of cryptography, a value known as a key is used in conjunction with a procedure called a crypto algorithm to transform plaintext data into ciphertext. In the most familiar type of cryptography, secret-key cryptography, the ciphertext is transformed back into plaintext using the same key. However, in a second type of cryptography, public-key cryptography, a different key is used to transform the ciphertext back into plaintext. What is a digital certificate? In public-key cryptography, one of the keys, known as the private key, must be kept secret. The other key, known as the public key, is intended to be shared with the world. However, there must be a way for the owner of the key to tell the world who the key belongs to. Digital certificates provide a way to do this. A digital certificate is a tamperproof piece of data that packages a public key together with information about it (who owns it, what it can be used for, when it expires, and so forth). What are certificates used for? Certificates are used primarily to verify the identity of a person or device, authenticate a service, or encrypt files. Normally you wont have to think about certificates at all. You might, however, see a message telling you that a certificate is expired or invalid. In those cases you should follow the instructions in the message. What is a certification authority (CA)? Certification authorities are the organizations that issue certificates. They establish and verify the authenticity of public keys that belong to people or other certification authorities, and they verify the identity of a person or organization that asks for a certificate. What is a Certificate Trust List (CTL)? A trust must exist between the recipient of a signed message and the signer of the message. One method of establishing this trust is through a certificate, an electronic document verifying that entities or persons are who they claim to be. A certificate is issued to an entity by a third party that is trusted by both of the other parties. So, each recipient of a signed message decides if the issuer of the signer's certificate is trustworthy. CryptoAPI has implemented a methodology to allow application developers to create applications that automatically verify certificates against a predefined list of trusted certificates or roots. This list of trusted entities (called subjects) is called a certificate trust list (CTL). For more information, please see the MSDN article, Certificate Trust Verification. What might an attacker do with these certificates? An attacker could use these certificates to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against the following web properties: *.google.com *.google.com.eg *.g.doubleclick.net *.gstatic.com www.google.com www.gmail.com *.googleapis.com What is a man-in-the-middle attack? A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attackers computer without the knowledge of the two communicating users. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user. What is Microsoft doing to help with resolving this issue? Although this issue does not result from an issue in any Microsoft product, we are nevertheless updating the CTL and providing an update to help protect customers. Microsoft will continue to investigate this issue and may make future changes to the CTL or release a future update to help protect customers. After applying the update, how can I verify the certificates in the Microsoft Untrusted Certificates Store? For Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), and for Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2 systems, you can check the Application log in the Event Viewer for an entry with the following values: Source: CAPI2 Level: Information Event ID: 4112 Description: Successful auto update of disallowed certificate list with effective date: Monday, March 23, 2015 (or later). For systems not using the automatic updater of revoked certificates, in the Certificates MMC snap-in, verify that the following certificate has been added to the Untrusted Certificates folder: Certificate Issued by Thumbprint MCSHOLDING TEST CNNIC ROOT e1 f3 59 1e 76 98 65 c4 e4 47 ac c3 7e af c9 e2 bf e4 c5 76 Note For information on how to view certificates with the MMC Snap-in, see the MSDN article, How to: View Certificates with the MMC Snap-in. Suggested Actions Apply the update for supported releases of Microsoft Windows An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2, and for devices running Windows Phone 8 and Windows Phone 8.1. For these operating systems or devices, customers do not need to take any action, because the CTL will be updated automatically. For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action, because these systems will be automatically protected. Additional Suggested Actions Protect your PC We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center. Keep Microsoft Software Updated Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed. Other Information Feedback You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us. Support Customers in the United States and Canada can receive technical support from Security Support. For more information, see Microsoft Help and Support. International customers can receive support from their local Microsoft subsidiaries. For more information, see International Support. Microsoft TechNet Security provides additional information about security in Microsoft products. Disclaimer The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions V1.0 (March 24, 2015): Advisory published. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVROEExLndAQH1ShLAQITAg//VLqg9U36qIu0tsWsaaaaKkb18Pv2DXoS UfbIerpd4FdKhCThkxYc9R6VQWjAj64iCE0+zfdtriY8GYepRknbAkLHgAYAmp5A nG53AbgQzOcvgdKuh4BvgR8jNkCcGUud6SNNa0hyiLQseTtmilbrGuxpPl2MLA0j iwDNlBRUsAdxapBrbbrxuDo5W1oojQJ7ks6Yl0OJnwfBUaODVhrmL5iqyxJyXF/1 N1is6O2uv+j78bSKPw/5Xk9Ge9/AOe9eMX+647GOPqZitAN3CrEuNkKYRD69vKBQ x3yM1lF/pSbaBAYBxu201FWi+1JEoPc9QP6IWvjXSyvLFf+UOo91z5zMxKwaqpaZ rK+mLkACRduZLHLQ8n4O2OLs//3BQuK2YmtX970JwwD2iCJBo2nZxZNDO1qMM9h8 tWblw4Ew8NvEx/G/8/Rvlbkwp1K23peuSTt03uVE4T+KY/VWrsM78ae/QTVXw8zV Y9tCpoiua55mUpKT+5UBqHBSwXrVXtZc/NVG0n0Z1wghq3CwMQjjruYqUCRemnsf P1dwF01sbhhWafmGYog5kiF4plEs8iJEse4Gybe1QNX321hvChChSJKVrttIVSyb jfvBzIBmDXB+9QeMifFgAvJhY7w5xVbpzAG6emOKrI47J3t1Pgfz5ru+dz6N98bS T7AHOIN/T2M= =0wSF -----END PGP SIGNATURE-----