Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Blacklists Fake Windows Live SSL Certificate

Microsoft has blacklisted a fraudulent SSL certificate the company said could be used to spoof content and perform phishing and man-in-the-middle attacks.

Microsoft has blacklisted a fraudulent SSL certificate the company said could be used to spoof content and perform phishing and man-in-the-middle attacks.

In a security advisory, Microsoft said the SSL certificate, which was issued for the “live.fi” domain, has also been revoked by Comodo, the issuing Certificate Authority (CA). According to Microsoft, the certificate cannot be used to issue other certificates, impersonate other domains or sign code.

“A certificate was improperly issued due to a misconfigured privileged email account on the live.fi domain,” according to the advisory. “An email account was able to be registered for the live.fi domain using a privileged username, which was subsequently used to request an unauthorized certificate for that domain.”

So far, no attacks are known to be taking advantage of the situation, the advisory noted.

According to Comodo, all certificates must pass through domain control validation before they are issued. Domain control validation is a mechanism used to prove ownership or control of a registered domain name, and can be done in multiple ways, including sending an email to the administrator of the domain. The email contains a unique validation code and link the administrator can use to prove control.

An attacker could use the certificates to spoof content and launch attacks against live.fi and www.live.fi, the Microsoft advisory explained.

“Although this issue does not result from an issue in any Microsoft product, we are nevertheless updating the CTL (Certificate Trust List) and providing an update to help protect customers,” according to Microsoft. “Microsoft will continue to investigate this issue and may make future changes to the CTL or release a future update to help protect customers.”

“Certificate Authorities are under constant attack from fraud attempts,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “The problem is we don’t hear about most of the successes. And you don’t have to attack a major global CA to be successful in getting a trusted certificate — for example, there are hundreds of trusted CAs in every iOS device.”

Advertisement. Scroll to continue reading.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.