Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.3086
Inadvertently Disclosed Digital Certificate Could Allow Spoofing
10 December 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Windows
Publisher: Microsoft
Operating System: Windows
Impact/Access: Access Privileged Data -- Remote with User Interaction
Resolution: Patch/Upgrade
Original Bulletin:
https://technet.microsoft.com/en-us/library/security/3123040
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Advisory 3123040
Inadvertently Disclosed Digital Certificate Could Allow Spoofing
Published: December 8, 2015
Version: 1.0
Executive Summary
Microsoft is aware of an SSL/TLS digital certificate for *.xboxlive.com for
which the private keys were inadvertently disclosed. The certificate could be
used in attempts to perform man-in-the-middle attacks. It cannot be used to
issue other certificates, impersonate other domains, or sign code. This issue
affects all supported releases of Microsoft Windows. Microsoft is not
currently aware of attacks related to this issue.
To help protect customers from potentially fraudulent use of the SSL/TLS
digital certificate, the certificate has been deemed no longer valid and
Microsoft is updating the Certificate Trust list (CTL) for all supported
releases of Microsoft Windows to remove the trust of the certificate. For more
information about the certificate, see the Frequently Asked Questions section
of this advisory.
Recommendation. An automatic updater of certificate trust lists is included in
supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1,
Windows Server 2012, Windows Server 2012 R2, Windows 10, and Windows 10
Version 1511, and for devices running Windows Phone 8, Windows Phone 8.1, and
Windows 10 Mobile. For these operating systems and devices, customers do not
need to take any action as these systems and devices will be automatically
protected.
For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows
Server 2008 R2 that are using the automatic updater of certificate trust lists
(see Microsoft Knowledge Base Article 2677070 for details), customers do not
need to take any action as these systems will be automatically protected.
Affected Software
This advisory discusses the following software.
Affected Software
Operating System
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows RT
Windows RT 8.1
Windows Server 2012
Windows Server 2012 R2
Windows 10
Windows 10 Version 1511
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 R2 for x64-based Systems (Server Core installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)
Affected Devices
Windows Phone 8
Windows Phone 8.1
Windows 10 Mobile
Advisory FAQ
What is the scope of the advisory?
The purpose of this advisory is to notify customers that the private keys for
an SSL/TLS digital certificate for *xboxlive.com have been inadvertently
disclosed. The SSL/TLS certificate could be used to perform man-in-the-middle
attacks against Xbox Live customers.
What caused the issue?
The issue was caused by the inadvertent disclosure of private key information
for a cryptographic certificate for *.xboxlive.com.
Does this update address any other digital certificates?
Yes, in addition to addressing the certificate described in this advisory,
this update is cumulative and includes digital certificates described in
previous advisories:
Microsoft Security Advisory 2982792
Microsoft Security Advisory 2916652
Microsoft Security Advisory 2798897
Microsoft Security Advisory 2728973
Microsoft Security Advisory 2718704
Microsoft Security Advisory 2641690
Microsoft Security Advisory 2607712
Microsoft Security Advisory 2524375
Microsoft Security Advisory 3046310
Microsoft Security Advisory 3119884
What is cryptography?
Cryptography is the science of securing information by converting it between
its normal, readable state (called plaintext) and one in which the data is
obscured (known as ciphertext).
In all forms of cryptography, a value known as a key is used in conjunction
with a procedure called a crypto algorithm to transform plaintext data into
ciphertext. In the most familiar type of cryptography, secret-key
cryptography, the ciphertext is transformed back into plaintext using the same
key. However, in a second type of cryptography, public-key cryptography, a
different key is used to transform the ciphertext back into plaintext.
What is a digital certificate?
In public-key cryptography, one of the keys, known as the private key, must be
kept secret. The other key, known as the public key, is intended to be shared
with the world. However, there must be a way for the owner of the key to tell
the world who the key belongs to. Digital certificates provide a way to do
this. A digital certificate is a tamperproof piece of data that packages a
public key together with information about it (who owns it, what it can be
used for, when it expires, and so forth).
What are certificates used for?
Certificates are used primarily to verify the identity of a person or device,
authenticate a service, or encrypt files. Normally you wont have to think
about certificates at all. You might, however, see a message telling you that
a certificate is expired or invalid. In those cases you should follow the
instructions in the message.
What is a certification authority (CA)?
Certification authorities are the organizations that issue certificates. They
establish and verify the authenticity of public keys that belong to people or
other certification authorities, and they verify the identity of a person or
organization that asks for a certificate.
What is a Certificate Trust List (CTL)?
A trust must exist between the recipient of a signed message and the signer of
the message. One method of establishing this trust is through a certificate,
an electronic document verifying that entities or persons are who they claim
to be. A certificate is issued to an entity by a third party that is trusted
by both of the other parties. So, each recipient of a signed message decides
if the issuer of the signer's certificate is trustworthy. CryptoAPI has
implemented a methodology to allow application developers to create
applications that automatically verify certificates against a predefined list
of trusted certificates or roots. This list of trusted entities (called
subjects) is called a certificate trust list (CTL). For more information,
please see the MSDN article, Certificate Trust Verification.
What might an attacker do with these certificates?
An attacker could use these certificates to perform man-in-the-middle attacks
against *.xboxlive.com properties.
What is a man-in-the-middle attack?
A man-in-the-middle attack occurs when an attacker reroutes communication
between two users through the attackers computer without the knowledge of the
two communicating users. Each user in the communication unknowingly sends
traffic to and receives traffic from the attacker, all the while thinking they
are communicating only with the intended user.
What is Microsoft doing to help with resolving this issue?
Although this issue does not result from an issue in any Microsoft product, we
are nevertheless updating the CTL and providing an update to help protect
customers. Microsoft will continue to investigate this issue and may make
future changes to the CTL or release a future update to help protect
customers.
After applying the update, how can I verify the certificates in the Microsoft
Untrusted Certificates Store?
For Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2
systems that are using the automatic updater of certificate trust lists (see
Microsoft Knowledge Base Article 2677070 for details), and for Windows 8,
Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, Windows Server
2012 R2, Windows 10, and Windows 10 Version 1511 systems, you can check the
Application log in the Event Viewer for an entry with the following values:
Source: CAPI2
Level: Information
Event ID: 4112
Description: Successful auto update of disallowed certificate list with
effective date: Tuesday, December 1, 2015 (or later).
For systems not using the automatic updater of certificate trust lists, in the
Certificates MMC snap-in, verify that the following certificate has been added
to the Untrusted Certificates folder:
Certificate Issued by Thumbprint
xboxlive.com Microsoft IT SSL SHA2 8b 2e 65 a5 da 17 fc cc bc de 7e f8 7b 0c 0e d5 d0 70 1f 9f
Note For information on how to view certificates with the MMC Snap-in, see the
MSDN article, How to: View Certificates with the MMC Snap-in. Suggested
Actions
Apply the update for supported releases of Microsoft Windows
An automatic updater of certificate trusts lists is included in supported
editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server
2012, Windows Server 2012 R2, Windows 10, and Windows 10 Version 1511, and for
devices running Windows Phone 8, Windows Phone 8.1, and Windows 10 Mobile. For
these operating systems or devices, customers do not need to take any action
because the CTL will be updated automatically.
For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows
Server 2008 R2 that are using the automatic updater of certificate trust lists
(see Microsoft Knowledge Base Article 2677070 for details), customers do not
need to take any action because the CTL will be updated automatically.
Additional Suggested Actions
Protect your PC
We continue to encourage customers to follow our Protect Your Computer
guidance of enabling a firewall, getting software updates and installing
antivirus software. For more information, see Microsoft Safety & Security
Center.
Keep Microsoft Software Updated
Users running Microsoft software should apply the latest Microsoft security
updates to help make sure that their computers are as protected as possible.
If you are not sure whether your software is up to date, visit Microsoft
Update, scan your computer for available updates, and install any
high-priority updates that are offered to you. If you have automatic updating
enabled and configured to provide updates for Microsoft products, the updates
are delivered to you when they are released, but you should verify that they
are installed.
Other Information
Feedback
You can provide feedback by completing the Microsoft Help and Support form,
Customer Service Contact Us.
Support
Customers in the United States and Canada can receive technical support from
Security Support. For more information, see Microsoft Help and Support.
International customers can receive support from their local Microsoft
subsidiaries. For more information, see International Support.
Microsoft TechNet Security provides additional information about security in
Microsoft products.
Disclaimer
The information provided in this advisory is provided "as is" without warranty
of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular
purpose. In no event shall Microsoft Corporation or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if Microsoft
Corporation or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
Revisions
V1.0 (December 8, 2015): Advisory published.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVmjxg36ZAP0PgtI9AQJzbg//c1g3w2mcJMtC8qUNeQUm6ktkiZ89comD
vlMNju/FI2OK7CpjXb5Dr/XChvHs7PRBo1oGqaVAcAsLpuhffyvwRkfhWsfyRVsZ
GtSh5buDabSybq1OnFIE0adlwm7JXnWnrLf9PlHEt4ubp2WC5SPVsW/2mdDgIv3w
W3P+6e5Cm11B+SJ5w87ZRCDSSsUjlPJvM2FDz3/LqoV/UNp0N4xzrHBoN34Agg6r
ba/kHE8Ef2ar3LvyGyzyYs2LRB/4dKbl3vLDfhQZ4lxWFkX/jiPNsnzMLccIFRqF
3dY7MLJxZ++77IJSA0QLmrVpTdnW7+Bye9GsfHZJljCDgKKlmY7Gdr7mdY5l4Wgk
9rhDqJEzMZh9pEVyyHh7e6Uwdt8LBP6x3aCVoyoVoWN3Tf7tpiBI7ef+Dk6T037P
kUTEPVDBDpA8WpxmVKvxcAidw7nCyvqY24JdID4rm/ZGJ7QOXEa7ZWnpTw/qXCa3
7F0LSmpb60HIZjYpgysafYSU9hCcx/rgSZk9LXWHbVRcuESyCVjDaVC4xfhZqLMh
I9hIxcBvsyFLJ4jcSIPclGMGQoccA69yzr3ej/8WwH7xwcomDoZ3fqaZHBAavzzc
78ls3mj9sC+75ldVTQISIPW0OY/AfJAoJih6yly9T0NPByrpYXsjvJ0ECwGl34V/
mEgZ18jgTZk=
=Q1ko
-----END PGP SIGNATURE-----