Security Experts:

Microsoft Blacklists Fake Windows Live SSL Certificate

Microsoft has blacklisted a fraudulent SSL certificate the company said could be used to spoof content and perform phishing and man-in-the-middle attacks.

In a security advisory, Microsoft said the SSL certificate, which was issued for the "live.fi" domain, has also been revoked by Comodo, the issuing Certificate Authority (CA). According to Microsoft, the certificate cannot be used to issue other certificates, impersonate other domains or sign code.

"A certificate was improperly issued due to a misconfigured privileged email account on the live.fi domain," according to the advisory. "An email account was able to be registered for the live.fi domain using a privileged username, which was subsequently used to request an unauthorized certificate for that domain."

So far, no attacks are known to be taking advantage of the situation, the advisory noted.

According to Comodo, all certificates must pass through domain control validation before they are issued. Domain control validation is a mechanism used to prove ownership or control of a registered domain name, and can be done in multiple ways, including sending an email to the administrator of the domain. The email contains a unique validation code and link the administrator can use to prove control.

An attacker could use the certificates to spoof content and launch attacks against live.fi and www.live.fi, the Microsoft advisory explained.

"Although this issue does not result from an issue in any Microsoft product, we are nevertheless updating the CTL (Certificate Trust List) and providing an update to help protect customers," according to Microsoft. "Microsoft will continue to investigate this issue and may make future changes to the CTL or release a future update to help protect customers."

"Certificate Authorities are under constant attack from fraud attempts," said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. "The problem is we don’t hear about most of the successes. And you don’t have to attack a major global CA to be successful in getting a trusted certificate -- for example, there are hundreds of trusted CAs in every iOS device."

view counter