Microsoft warns of fake Google and Yahoo domains

Microsoft warns of fake Google and Yahoo domains

Summary: UPDATED. A security advisory from Microsoft includes more detail on the breach of an Indian government certificate authority announced by Google yesterday.

SHARE:

Microsoft has issued a security advisory entitled "Improperly Issued Digital Certificates Could Allow Spoofing" to announce its countermeasures to the release of false domains by the certificate authority of the National Informatics Centre (NIC), an agency of the government of India.

We first wrote of these events yesterday following Google's response to them. For reasons still unexplained, the NIC's CA issued a number of domains that belonged to Google, creating the potential for spoofing and man-in-the-middle attacks if a program trusted the certificates. Google explained that its own products did not trust the Government of India Controller of Certifying Authorities (CCA), under which the NIC operates subordinate CAs. But, they noted, Microsoft's Trusted Root Store did include the CCA.

The Microsoft advisory repeats that the root store had trusted the NIC subordinate CAs and thanks Adam Langley and the Google Chrome Security Team for informing them of it.

It adds that they have updated "...the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue." Note that this would indicate that Windows XP users will not receive the change.

For systems and devices running Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Phone 8 or Windows Phone 8.1, an automatic updater is included which will apply this change. For users running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2, an automatic updater was provided last year, which will do the same.

Users who have not installed the updater should follow instructions in the advisory.

The advisory lists the domains that were improperly issued. There are 17 Google domains, including google.com, m.gmail.com and gstatic.com. There are 27 Yahoo domains, including mail.yahoo.com, profile.yahoo.com and me.yahoo.com. Finally, static.com, a cloud PaaS (Platform as a Service) is included. (Since Google domains ending in gstatic.com were included, static.com may be an error on someone's part.)

Update at 3:50pm ET: A Microsoft spokesperson provided the following statement: "We have been working diligently on the mis-issued third-party certificates and have untrusted the related Subordinate Certification Authority certificates to ensure that our customers remain protected. Customers with automatic updates enabled do not need to take any action to remain protected. For more details refer to Security Advisory 2982792."

Update July 18 at 9:20am ET: Microsoft has released a Windows Server 2003 version of the automatic updater for the certificate store. This will allow Windows Server 2003 systems to be updated automatically for new and revoked trusted root certificates.

Topics: Security, Google, Government, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • M$ fails its due diligence

    and pushes malware that can hurt the comperitors.
    DoJ should investigate this fishy overlook!
    LlNUX Geek
    • Did you read the article?

      Or is lying a norm for people like you?
      ForeverCookie
      • Errr

        Why do you bother with him. Blames everything on Microsoft. Bad certificates, war in the Middle East, Brazil losing badly in the World Cup, increase price in bestiality movies, ...
        Gisabun
    • Did you even read the article?

      I swear people see Microsoft and see another opportunity to make ridiculous claims. Microsoft is not the certificate authority and that certificate authority is legitimate. The fact that the authority issued certificates is the problem.
      lilbubba
    • How does Linux manage certificates?

      I am curious, Linux Geek. You're criticising Microsoft for the wrong thing - apparently having not read the article - and trolling around for other fish to fry.

      How does your particular Linux distro handle certificates? Do you subscribe to Red Hat and get a monthly update? Do you have to manually approve each certificate issuer as they first appear - and then manually revoke them? Do you even know whether you have the falsely issued certificates on your computer and are blindly trusting them?

      I am interested to hear from someone who uses a superior operating system - how does all of this work? Or perhaps the Linux library you use just assumes each CA is as good as the other?
      Postulator
    • Not included in my trusted XP

      This revoked certificate is not included in my machines Trusted Root certificate, I was about to dig into my registry and delete it, but too bad this one NIC [National Informatics Centre] certificate is not there.

      Mentioned above that XP will not be updated, but XP was not affected on the first place!!
      Martmarty
  • Everything about Google is fraud.

    thieves in suits...Google original is fake...
    Owl:Net
    • Yet Google recognized the problem

      with the fake certificates where Microsoft did not until it was pointed out to them.
      BoxOfParts
      • Not Impressed

        The spoof was made against Google's own sites and products -- so one would expect Google to spot them.
        ReadandShare
      • Errr

        If you notice, they went after Google - not Microsoft.
        And if you have Windows 7 or later, the certificates have been remove already [whether with a previous update or built in].
        So how are Linux and Mac OSs getting are and who told them?
        Gisabun
    • You might want to actualy read the article

      "The Microsoft advisory repeats that the root store had trusted the NIC subordinate CAs and thanks Adam Langley and the Google Chrome Security Team for informing them of it."

      Did you get that?

      MS thanked Adam Langley and the Google Chrome Security Team for informing them of it.
      BoxOfParts
  • Unfortunate Microsoft "only" dilemma.

    Although Larry Seltzer did mention all the releases of Microsoft Windows Operating Systems (OS) covered by the false Certificate authorization, it would have been prudent to also clearly indicate that such problem applies to Windows OS "Only", and does not affect Apple OS X, LINUX, BSD UNIX-Like and UNIX OS.

    Else wise, the Microsofties on ZDNet will attempt to spread (share) the unpleasantness of such dilemma to all other OS technologies as some sort of cushion against the continual breaches experienced by Windows in past several years.
    wanderson
  • Verifying Update

    How are we supposed to verify that the update has been made? Is there a number that we can look at in Update History?
    leonard45
    • re: Verifying Update

      from microsoft's advisory:
      After applying the update, how can I verify the certificates in the Microsoft Untrusted Certificates Store?
      For Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), and for Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2 systems, you can check the Application log in the Event Viewer for an entry with the following values:

      Source: CAPI2
      Level: Information
      Event ID: 4112
      Description: Successful auto update of disallowed certificate list with effective date: Thursday, July 3, 2014 (or later).
      ---------------------------
      https://technet.microsoft.com/en-us/library/security/2982792.aspx
      redwolfe_98