A problem has been recently identified with nine digital certificates. Microsoft and Mozilla (Firefox) have issued updates to invalidate these certificates. The Microsoft update is in the form of a patch and the Mozilla Firefox update is in the form of a browser version update (either 3.6.16 or 3.5.18). Firefox will prompt the user to install the updated version.
There appears to be some inconsistency regarding the automatic installation of this patch from Microsoft. SANS indicates that it will not install automatically but the Microsoft Advisory indicates it WILL install automatically as long as auto updates are enabled.
Update can be downloaded from the following link – http://support.microsoft.com/kb/2524375
Information available from SANS can be found at
http://isc.sans.edu/diary/Microsoft+Advisory+about+fraudulent+SSL+Certificates/10600
Microsoft Advisory about fraudulent SSL Certificates
http://isc.sans.edu/diary/Firefox+3+Updates+and+SSL+Blacklist+extension/10597
Firefox 3 Updates and SSL Blacklist extension
http://www.microsoft.com/technet/security/advisory/2524375.mspx
General Information
Executive Summary
Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.
These certificates affect the following Web properties:
• login.live.com
• mail.google.com
• www.google.com
• login.yahoo.com (3 certificates)
• login.skype.com
• addons.mozilla.org
• “Global Trustee”
Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.
An update is available for all supported versions of Windows to help address this issue. For more information about this update, see Microsoft Knowledge Base Article 2524375.
Typically, no action is required of customers to install this update, because the majority of customers have automatic updating enabled and this update will be downloaded and installed automatically. For more information, including how to manually install this update, see the Suggested Actions section of this advisory.
—–Original Message—–
From: Microsoft [mailto:securitynotifications@e-mail.microsoft.com]
Sent: Wednesday, March 23, 2011 3:18 PM
To: Chuck Braden
Subject: Microsoft Security Advisory Notification
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: March 23, 2011
********************************************************************
Security Advisories Updated or Released Today ==============================================
* Microsoft Security Advisory (2524375)
– Title: Fraudulent Digital Certificates Could Allow Spoofing
– http://www.microsoft.com/technet/security/advisory/2524375.mspx
– Revision Note: V1.0 (March 23, 2011): Advisory published.