Thursday, March 24, 2011

SSL Certificates compromised, patches needed

Wonderful news: on Wednesday, 23 March: an "out-of-cycle" Windows Update was released.  These are only rolled out when there are active attacks that can be fixed quickly.  Mozilla and Google have also rolled out patches, so if you run Firefox, please update it as well (Chrome auto-updates, while Firefox usually checks once a day).  The ZDNet ZeroDay article below has the "friendliest" write-up and the most details, including a strong suggestion that this was a state-driven attack, possibly by Iran.  On my XP Pro SP3 system a reboot was NOT required.

Microsoft Releases Security Advisory 2524375 - MSRC - Site Home - TechNet Blogs
Hello - Today we're releasing Security Advisory 2524375, to address nine fraudulent digital certificates issued by Comodo Group Inc, a root certificate authority. Comodo has since revoked the digital certificates. This is not a Microsoft security vulnerability; however, one of the certificates potentially affects Windows Live ID users via login.live.com. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against end users. We are unaware of any active attacks.

... The Microsoft mitigation will be made available through the Microsoft Download Center and the Windows Update Service. For customers who use Windows Automatic Updates, the update will occur automatically.
Firefox 3 Updates and SSL Blacklist extension
At the heals of yesterday's Firefox 4 release, we today got 3.6.16 and 3.5.18. As usual, Mozilla will provide security updates for some older browsers after the release of a new major version. If you are not planning to update to Firefox 4 soon, you should update to the newest 3.x version.

This wouldn't be worth a full diary (usually we just publish a "one liner") if it wouldn't be for one interesting change: Mozilla decided to add some new blacklisted SSL certificates.
Microsoft warns: Fraudulent digital certificates issued for high-value websites | ZDNet
Microsoft today warned that Comodo has issued nine fraudulent digital certificates to a third party whose identity could not be sufficiently validated, a scenario that could allow attackers to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web surfers.
US-CERT Current Activity: Fraudulent SSL Certificates
added March 23, 2011 at 01:54 pm
US-CERT is aware of public reports of the existence of fraudulent SSL certificates. These fraudulent SSL certificates could be used by an attacker to masquerade as a trusted website. Multiple web browser vendors have provided updates to recognize and block these fraudulent SSL certificates.

Mozilla has updated Firefox 4.0, 3.6, and 3.5. Additional information can be found in the Mozilla Security Blog.

Microsoft has released updates for various platforms in Microsoft Knowledge Base Article 2524375. Additional information can be found in Microsoft Security Advisory 2524375.

Microsoft Advisory about fraudulent SSL Certificates
Microsoft just released an advisory [1] alerting its customers that a total of 9 certificates where issued using the leaked/stolen CA certificated from Comodo.

The affected domains are according to Microsoft:

* login.live.com
* mail.google.com
* www.google.com
* login.yahoo.com (3 certificates)
* login.skype.com
* addons.mozilla.org (already known from an earlier announcement by Mozilla)
* "Global Trustee"

No comments: