14 DAY TRIAL // A certificate for the Finnish Windows Live domain administered by Microsoft has been generated by the Certificate Authority (CA) Comodo following an unauthorized request from an email account with a privileged username.
Comodo has revoked the certificate as soon as it learned of the fraudulent action, but there is still trouble ahead for Microsoft clients as the Certificate Trust List (CTL) in all supported versions of Windows has to be updated in order to fully eliminate the risk of man-in-the-middle (MitM) attacks.
Google Chrome and Internet Explorer web browsers use Windows CTL for SSL certificate verification, but Mozilla Firefox comes with its own certificate store, which also needs to be updated to eliminate the rogue entry in order prevent any malicious activity that may rely on it.
Email with privileged username employed to obtain the certificate
The bogus certificate can be used by an attacker to spoof Microsoft web content and to carry out phishing and MitM attacks; it is not suitable for issuing other certificates, signing software code or spoofing other domains.
According to an advisory from Microsoft released on Monday, someone was able to register an email account for the “live.fi” domain “using a privileged username, which was subsequently used to request an unauthorized certificate for that domain.”
Such usernames are usually reserved for admins and include strings such as “admin,” “administrator” or “webmaster” followed immediately by the “@” symbol and the domain they belong to.
One way to validate the owner or the individual handling the domain is through confirmation of a code sent by the CA to the privileged email address.
Standalone updater is available
Microsoft has blacklisted the fraudulent certificate, and the action occurs without any user intervention on systems running Windows 8, 8.1, RT, RT 8.1, Server 2012 Server 2012 R2, on devices running Windows Phone 8 and Windows Phone 8.1.
For Windows Vista, 7, Server 2008 and Server 2008 R2, there is an automatic update tool available for revoked certificates that can accomplish the task unattendedly.
However, if the user did not install the utility, then the CTL cannot be refreshed to exclude the risky entry. In this case, and on systems with Windows Server 2003, whose support ends on July 14, 2015, Microsoft recommends installing a standalone updater for revoked certificates.