14 DAY TRIAL // Microsoft has released an out-of-band Windows update aimed at blacklisting several digital certificates obtained fraudulently from Comodo a week ago.
According to Comodo, a Certification Authority (CA) trusted by default in all Windows versions and browsers, hackers obtained access to one of its European resellers' account and used it to fraudulently request nine certificates for high-profile domains.
The certificates corresponded to login.live.com, mail.google.com, www.google.com, login.yahoo.com (three), login.skype.com, addons.mozilla.org and "Global Trustee".
It's not clear how many of them were actually issued by Comodo, but at least one for login.yahoo.com was tested on an Iranian server.
"Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity," Microsoft says in a newly published security advisory.
"These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer," it warns.
In order to mitigate the risks, Microsoft pushed an important (high priority) update (KB2524375) to all supported Windows versions in order to blacklist the certificates.
Even though it has been known since last week, the incident was kept under wraps by the involved parties in order to allow time for developing and deploying fixes.
Mozilla and Google already released updates that blacklisted the certificates in Firefox and Chrome and Comodo revoked the certificates on their part.
Giving that the attacker's IP address and that of the rogue certificate test server were both from Iran, the company believes this was likely a state-driven attack.
"The Iranian government has recently attacked other encrypted methods of communication," Comodo writes in its incident report.
Even though no other attempts to use the certificates have been detected so far, users are strongly encouraged to install KB2524375 as soon as possible.