14 DAY TRIAL // A fraudulently issued certificate for several Google domains and possibly other web properties has been revoked by Microsoft to eliminate the risk of web content spoofing, phishing, and man-in-the-middle attacks for customers running any of the supported versions of Windows.
The issue stemmed from the fact that Egypt-based company MCS Holdings was granted the power by its root Certificate Authority (CA) to issue digital certificates for other websites apart from those it registered under its name.
The CA delegating the powerful attribute is CNNIC (China Internet Network Information Center), that revoked the rogue intermediate certificate as soon as it learned of MCS Holdings’ deeds.
Some Windows versions get the update automatically
Microsoft has updated its Certificate Trust List (CTL) for Windows operating systems so that the fraudulent certificate can no longer be used for malicious operations against its clients.
The list of Google domains that could have been leveraged by an attacker includes Gmail and Google.com, two web properties that are accessed by tens of millions of unique IP addresses on a daily basis.
Other Google domains impacted are *.google.com.eg, *.g.doubleclick.net, *.gstatic.com, and *.googleapis.com. It is possible that domains from other owners were also validated by MCS Holdings’ rogue certificate.
The CTL update issued by Microsoft is automatically delivered to systems running supported editions of Windows 8, Server 2012, RT, 8.1, RT 8.1, and Server 2012 R2, and for devices running Windows Phone 8 and 8.1. On these, no action has to be taken by the user as the modification is produced in the background.
The same goes for users of Windows Vista, 7, Server 2008, or Server 2008 R2, if the automatic updater for revoked certs is installed.
Public-key pinning mitigates risk in Chrome and Firefox
In the case of Windows Server 2003 (support ends on July 14, 2015), Microsoft says in a security advisory that it is working on developing an update, which will be released when full testing is completed.
Google has already blocked the certificate in Chrome browser via a CRLset push, while Mozilla has scheduled full mitigation of the issue in Firefox 37.
At this time, the affected Google domains cannot be spoofed on these two web browsers due to the public-key pinning mechanism implemented in Chrome and Firefox starting version 33.