Microsoft warns of fake Google and Yahoo domains

Microsoft has issued a security advisory entitled "Improperly Issued Digital Certificates Could Allow Spoofing" to announce its countermeasures to the release of false domains by the certificate authority of the National Informatics Centre (NIC), an agency of the government of India.

We first wrote of these events yesterday following Google's response to them. For reasons still unexplained, the NIC's CA issued a number of domains that belonged to Google, creating the potential for spoofing and man-in-the-middle attacks if a program trusted the certificates. Google explained that its own products did not trust the Government of India Controller of Certifying Authorities (CCA), under which the NIC operates subordinate CAs. But, they noted, Microsoft's Trusted Root Store did include the CCA.

The Microsoft advisory repeats that the root store had trusted the NIC subordinate CAs and thanks Adam Langley and the Google Chrome Security Team for informing them of it.

It adds that they have updated "...the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue." Note that this would indicate that Windows XP users will not receive the change.

For systems and devices running Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Phone 8 or Windows Phone 8.1, an automatic updater is included which will apply this change. For users running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2, an automatic updater was provided last year, which will do the same.

Users who have not installed the updater should follow instructions in the advisory.

The advisory lists the domains that were improperly issued. There are 17 Google domains, including google.com, m.gmail.com and gstatic.com. There are 27 Yahoo domains, including mail.yahoo.com, profile.yahoo.com and me.yahoo.com. Finally, static.com, a cloud PaaS (Platform as a Service) is included. (Since Google domains ending in gstatic.com were included, static.com may be an error on someone's part.)

Update at 3:50pm ET: A Microsoft spokesperson provided the following statement: "We have been working diligently on the mis-issued third-party certificates and have untrusted the related Subordinate Certification Authority certificates to ensure that our customers remain protected. Customers with automatic updates enabled do not need to take any action to remain protected. For more details refer to Security Advisory 2982792."

Update July 18 at 9:20am ET: Microsoft has released a Windows Server 2003 version of the automatic updater for the certificate store. This will allow Windows Server 2003 systems to be updated automatically for new and revoked trusted root certificates.