Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Blacklists Fake Windows Live SSL Certificate

Microsoft has blacklisted a fraudulent SSL certificate the company said could be used to spoof content and perform phishing and man-in-the-middle attacks.

Microsoft has blacklisted a fraudulent SSL certificate the company said could be used to spoof content and perform phishing and man-in-the-middle attacks.

In a security advisory, Microsoft said the SSL certificate, which was issued for the “live.fi” domain, has also been revoked by Comodo, the issuing Certificate Authority (CA). According to Microsoft, the certificate cannot be used to issue other certificates, impersonate other domains or sign code.

“A certificate was improperly issued due to a misconfigured privileged email account on the live.fi domain,” according to the advisory. “An email account was able to be registered for the live.fi domain using a privileged username, which was subsequently used to request an unauthorized certificate for that domain.”

So far, no attacks are known to be taking advantage of the situation, the advisory noted.

According to Comodo, all certificates must pass through domain control validation before they are issued. Domain control validation is a mechanism used to prove ownership or control of a registered domain name, and can be done in multiple ways, including sending an email to the administrator of the domain. The email contains a unique validation code and link the administrator can use to prove control.

An attacker could use the certificates to spoof content and launch attacks against live.fi and www.live.fi, the Microsoft advisory explained.

“Although this issue does not result from an issue in any Microsoft product, we are nevertheless updating the CTL (Certificate Trust List) and providing an update to help protect customers,” according to Microsoft. “Microsoft will continue to investigate this issue and may make future changes to the CTL or release a future update to help protect customers.”

“Certificate Authorities are under constant attack from fraud attempts,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “The problem is we don’t hear about most of the successes. And you don’t have to attack a major global CA to be successful in getting a trusted certificate — for example, there are hundreds of trusted CAs in every iOS device.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.