14 DAY TRIAL // Redmond-based tech company Microsoft has released an emergency security update for its modern operating system, including Windows 8.1, to fix an issue that would block exploits grounded in recently discovered digital certificates claiming to come from Google and Yahoo.
Microsoft says that more such malicious certificates could be out there in the wild, so it recommends users to accept yesterday's out-of-band update, as it's automatically deployed and installed on computers running Windows 8, 8.1, RT, RT 8.1, Server 2012, Server 2012 R2, Windows Phone 8, and Windows Phone 8.1.
The new patch was developed to block 45 different SSL certificates obtained by hackers after successfully breaking into systems operated by the National Informatics Center (NIC) of India, whose certificates are automatically accepted by all Windows versions without any message displayed to users.
As you could easily guess, such certificates are being used by quite a lot of websites out there, including online banking, stores, and companies providing you with services such as email. Google and Yahoo services are also said to be affected, so users could be exposed when accessing their products which are using a SSL certificate.
Microsoft says that at the moment it's not aware of any successful hacking attempt based on this new threat and adds that thanks to this patch, everyone should be completely secure, at least when running newer versions of Windows.
“The subordinate CA has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties. The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks,” the company explains.
While customers running Windows 8 and 8.1 are getting the update automatically, Microsoft says that those who are still on older OS versions won't receive the patch, so additional tweaking is needed.
“To receive this update, customers must install the automatic updater of revoked certificates. Customers in disconnected environments and who are running Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 can install update 2813430 to receive this update,” it continues.
If you're wondering, users whose computers are currently powered by other desktop platforms, including Mac OS X and Linux, are perfectly secure because these operating systems do not trust SSL certificate by default, so no additional patching is required.