Improperly Issued Digital Certificate Could Allow Spoofing

General Information

Executive Summary

Microsoft is aware of an improperly issued subordinate CA certificate that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The subordinate CA certificate was improperly issued by the Directorate General of the Treasury (DG Trésor), subordinate to the Government of France CA (ANSSI), which is a CA present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.

The improperly issued subordinate CA certificate has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. The subordinate CA certificate may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.

To help protect customers from potentially fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue. For more information about these certificates, see the Frequently Asked Questions section of this advisory.

Recommendation. An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8. For these operating systems and devices, customers do not need to take any action as these systems and devices will be automatically protected.
For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action as these systems will be automatically protected.
For customers running Windows XP or Windows Server 2003, or for customers who choose not to install the automatic updater of revoked certificates, Microsoft recommends that the 2917500 update be applied immediately using update management software, by checking for updates using the Microsoft Update service, or by downloading and applying the update manually. For more information, see the Suggested Actions section of this advisory.

Source: Microsoft Security Advisory (2916652): Improperly Issued Digital Certificates Could Allow Spoofing
 
Back
Top