Hypothetical threat watch

New malware exploits USB, but isn't really that scary

General News

UK government set to rush through emergency surveillance legislation

General News

UK officials follow US counterparts by banning electronics that have no charge from boarding flights

Microsoft News

Microsoft restores control of seized domains to No-IP

Windows 8 Apps+Games

1Password for Windows gets much needed 4.0 update

Editorials

Using strong passwords and keeping your online self secure

General News

First smartphone 'kill switch' bill in the US passed by… Minnesota

Apps

Secure your passwords and critical information with Enpass Password Manager

General News

Bitly alerts users of widespread account compromises, claims no accounts have been accessed

Apps

John McAfee's Chadder aims to keep your messages private, lands on Windows Phone before iOS

Windows

Microsoft issues security patch for Internet Explorer

Microsoft News

Microsoft issues warning about limited, targeted attack vulnerability in Internet Explorer

How To

Get secure by encrypting your PC with Microsoft BitLocker for Windows 8 Pro

Microsoft News

Microsoft Store giving away $100 credit; simply trade up your Windows XP dinosaur (US and Canada Only)

Microsoft News

Microsoft says it's really time to dump Windows XP thru this clever infograph

Editorials

So, you want to adopt BYOD?

Microsoft News

From a Bill Gates memo to an industry practice: The story of Security Development Lifecycle

Microsoft News

Microsoft to fix Internet Explorer vulnerability along with other system exploits next week

Apps

Kaspersky Safe Browser now available for Windows Phone

Apps

Kaspersky Internet Security launch imminent for Windows Phone

< >
75

Microsoft issues security advisory affecting all versions of Windows, Windows Phone

Microsoft issues security advisory affecting all versions of Windows, Windows Phone

Microsoft has issued a security advisory that affects users of all currently supported versions of Windows, including Windows 8, Windows Phone, and Windows RT. Though no immediate action may be required from the user on select platforms, it is important to know what is happening as it relates to the improper issuance of SSL certificates, which Microsoft says "could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks."

Admittedly, the company says that no such attacks have been confirmed as a result of improperly issued certificates by the National Informatics Centre in India. However, "to help protect customers from potentially fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue."

For most platforms, customers do not need to take any action and an automatic updater should take care of things.

An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8 or Windows Phone 8.1. For these operating systems or devices, customers do not need to take any action because the CTL will be updated automatically.

For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action because the CTL will be updated automatically.

Older systems should install the automatic updater and of course to stay up to date.

Thanks, Richard, for the tip.

You can read more about the security advisory from Microsoft's site.

9
loading...
183
loading...
101
loading...
0
loading...

Comments

There are 75 comments. Sign in to comment

cesar ruiz1 says:

Wow its all Windows and WP is included. WP is never included in anything its nice to see its all ONE. Even though its bad.

bobsentell says:

This issue would also affect iOS, OSX, Android, and Chromium. Everyone uses SSL certificates. Honestly, given the broad nature of this threat and the automatic nature of the fix (on all OSs the fix is on the back end) I'm surprised Microsoft said anything at all other than reminding people why it is time to update Windows XP you cheap ass bums!.

roguecroce says:

So... Can I have this in easy English without reading Microsoft Esperanto gibberish... Unless we have XP we don't need to actually read or DO anything, right?

bobsentell says:

If you have Windows 7.x or 8.x, you are good. It updates automatically, though it probably wouldn't hurt to make sure you have the latest Windows updates installed.

Nerdy Woman says:

I'd add a qualifier there, Bob. According to the security advisory, Win7 users may be safe...

"For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2, and that do not have the automatic updater of revoked certificates installed, this update is not available. To receive this update, customers must install the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details). Customers in disconnected environments and who are running Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 can install update 2813430 to receive this update (see Microsoft Knowledge Base Article 2813430 for details)."

I posted a link to the security advisor on FB and my mom just informed me that her ESET antivirus won't allow her to access the page. WTF? An AV that blocks your OS dev's website?

 

bobsentell says:

I stand corrected. So, yes, update your PC if you don't have them already turned on.

As for the anti-virus program, I use Windows Defender only as my internet usage is limited to social, news, and school. Nothing "unbecoming" from me.

vitor_canova says:

I think it applies to iOS only if they have this particular CA in their list.

bobsentell says:

It may not. Apple and Google may have dealt with this issue without being public about it. SSL certificates are issued to websites, so Microsoft is essentially adding those particular SSL certificates to their "block" list and all of them major OSs would need to do that.

Again, I think Microsoft realizes many of their users still use XP and with XP no longer getting updates, this is another way to remind people it is time to update to 7 or 8.

Nik Rolls says:

Yep, this is not actually a Windows issue, but a certificate root issue (caused by NIC in India). However because these globally trusted root certificates are stored in every OS, every OS they're trusted in needs to be updated every time they're changed.

jhguy says:

This does only affect Windows devices ! It's about an Indian CA that has given out false certificates for google.com, yahoo.com etc. Microsoft is the only vendor, that trusts this CA so only Microsoft is affected !

Nik Rolls says:

Just to be clear to other readers, because the article isn't quite: this is actually an issue with NIC India, not with Windows. But Windows must be updated in light of the security issues with the cert.

paragoneer says:

Yes it's certainly interesting. I don't remember any previous Microsoft security bulletin adressing a WP vulnerability.

Sahil Kutty says:

I didn't get the Indian reference. Can anyone please explain it to me?

Ed Boland says:

There's a link in this article to the TechNet page bulletin that explains it all.

Sahil Kutty says:

Oh yeah, thanks!

nitt_attaboy says:

Try IRCTC website & you'll know what it means to say.

herbertsnow says:

This is he worst day of my life.

explosive0 says:

Your life must be easy then. 

herbertsnow says:

I'm barely alive.

I hope it was ironic.

Mathematicsb says:

then you have lived a charmed life

herbertsnow says:

No kids, no wife, the fun never ends.

Mathematicsb says:

That is the dream.... No kids yelling, no wife nagging, just me my Xbox and a stack of pizza boxes duct taped into a table with another pizza box with a pizza in it on top.

Даже рядом не стоял хаха

Peg Leg says:

Yeah, I need Terminex for my rotten peg leg before it snaps in half while I'm on a date. That's what your talking about, right? Terminex?

Are you on crack? You should seek help. Might help you stop commenting on posts you have zero clue about. Nice try. Go polish your peg leg.

bobsentell says:

But... what are you talking about. Bing Translator app on my phone says "PervyP" (though, the Bing Translator Page says "first")

I was replying to him, saying that he wasn't even close to being first.

bobsentell says:

Yeah, thanks to the translator, I saw that. Is "PervyP" close to "First" in Russian or was Bing Translator just being goofy?

Perviy is first in Russian yes

bobsentell says:

Ah... okay. So it was close. Good to know.

Thanks!

xFalk says:

I believe he was being funny as most on here would have no idea what was said (myself included) and "Terminex" would fit just as easily as "butt fart" would.

Lets just all get along I'm sorry I overreached

kb4000 says:

Nice that it will be fixed automatically without needing a full blown, carrier approved update.

Lmfao. I second that.

Ok something's happening but we don't need to care. Thanks

andrew1967 says:

Microsoft left the WINDOWS open and now every one is gonna be breaking in,,,,

As a tribute to 2010...

"He's climbin in your Windows, snatching all your data up."

TechniqS says:

Weren't Google and Yahoo certificates being spoofed recently? Microsoft isn't the problem here I think, they are just protecting their users.

At least they are protecting me think about Google lol

Since a day or two ago yahoo's site login doesnt seem to be working

trwrt says:

Why so defensive?  Who said anything about Google or Yahoo?  The problem is bad certificates issued by a CA in India, nothing to do with Microsoft or any other company.

I notices that the DP 8.1 wasn't mentioned. Hopefully it is included in this

8.1 is probably considered beta and not a general public release. However I'm pretty sure the fix will be for dp as well. Since its a server push and they know a bunch of people are using it as their daily driver. Hopefully by the end of the month ill be on cyan and 8.1.1

Peg Leg says:

Yeah, but we still won't have it. You use that user name for Shadow Gun 2?

Fritzly says:

I guess people who have bought devices that shipped with 8.1 disagree.....

SwimSwim says:

It says 8.1 is included in the article... :/

So basicly it works the same way wu agent gets updates pushed automagicly on wp

terrokkinit says:

Another reason I love Microsoft. Looking out for its customers by notification of security issues and taking proactive steps to secure their products. Never switching again. :)

Yep they are improving their relationship with consumers

chmun77 says:

Erm. How do we update our Windows Phone 8 then? Phones don't received periodic updates like desktops?
 

I don't want to be an a-hole...but did you even read the article? He clearly states that you won't have to do anything on your phone...

chmun77 says:

"An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8 or Windows Phone 8.1. For these operating systems or devices, customers do not need to take any action because the CTL will be updated automatically."

I know smart one and I did read everything. But how does that work??? So there is also an automatic updater on windows phone for CTL? Ain't that suppose to be on MS servers? Thanks for explaining though.

jhguy says:

It's just how the system works ;) internet explorer stores the CRL locally

chmun77 says:

So, do we need to update the IE mobile as well, perhaps with an update or something? Otherwise, how can our phones be updated, even though this article stated that we are not required to do anything?

Nerdy Woman says:

They say that WPs are updated automatically... is the CTL stored in the cloud then? Cuz here in the US, everything MS wants to send us has to be vetted by the freakin carriers. No such thing as an automatic update.

12Danny123 says:

Most likely an emergancy update

conthejas says:

So what do we do?? Is there an update rolling out soon?

My guess is wp8 calls home every 24hrs like every other system feature that does daily syncs

I really like the Microsoft's policies.

MediaCastleX says:

I remember the second ever update to Windows Phone had something to do with certificates and security... Ah, memories. =]

gregoron says:

I guess this is one advantage/disadvantage of the universal Windows OS.

nitt_attaboy says:

Now I know why the IRCTC website was having trouble opening up. It said the Certificate was issued for some other site but used by it & so was getting blocked by the firewall.