Cellular security

T-Mobile quietly upgrades 2G network security

We teach you

How Microsoft Account two-step verification works

Here we go again

Dropbox accounts hacked, service not to blame for leak

Hypothetical threat watch

New malware exploits USB, but isn't really that scary

General News

UK government set to rush through emergency surveillance legislation

General News

UK officials follow US counterparts by banning electronics that have no charge from boarding flights

Microsoft News

Microsoft restores control of seized domains to No-IP

Windows 8 Apps+Games

1Password for Windows gets much needed 4.0 update

Editorials

Using strong passwords and keeping your online self secure

General News

First smartphone 'kill switch' bill in the US passed by… Minnesota

Apps

Secure your passwords and critical information with Enpass Password Manager

General News

Bitly alerts users of widespread account compromises, claims no accounts have been accessed

Apps

John McAfee's Chadder aims to keep your messages private, lands on Windows Phone before iOS

Windows

Microsoft issues security patch for Internet Explorer

Microsoft News

Microsoft issues warning about limited, targeted attack vulnerability in Internet Explorer

How To

Get secure by encrypting your PC with Microsoft BitLocker for Windows 8 Pro

Microsoft News

Microsoft Store giving away $100 credit; simply trade up your Windows XP dinosaur (US and Canada Only)

Microsoft News

Microsoft says it's really time to dump Windows XP thru this clever infograph

Editorials

So, you want to adopt BYOD?

Microsoft News

From a Bill Gates memo to an industry practice: The story of Security Development Lifecycle

< >
65

Microsoft issues security advisory affecting all versions of Windows, Windows Phone

Microsoft issues security advisory affecting all versions of Windows, Windows Phone

Microsoft has issued a security advisory that affects users of all currently supported versions of Windows, including Windows 8, Windows Phone, and Windows RT. Though no immediate action may be required from the user on select platforms, it is important to know what is happening as it relates to the improper issuance of SSL certificates, which Microsoft says "could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks."

Admittedly, the company says that no such attacks have been confirmed as a result of improperly issued certificates by the National Informatics Centre in India. However, "to help protect customers from potentially fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue."

For most platforms, customers do not need to take any action and an automatic updater should take care of things.

An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8 or Windows Phone 8.1. For these operating systems or devices, customers do not need to take any action because the CTL will be updated automatically.

For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action because the CTL will be updated automatically.

Older systems should install the automatic updater and of course to stay up to date.

Thanks, Richard, for the tip.

You can read more about the security advisory from Microsoft's site.

8
loading...
0
loading...
0
loading...
0
loading...

Reader comments

Microsoft issues security advisory affecting all versions of Windows, Windows Phone

65 Comments

Wow its all Windows and WP is included. WP is never included in anything its nice to see its all ONE. Even though its bad.

This issue would also affect iOS, OSX, Android, and Chromium. Everyone uses SSL certificates. Honestly, given the broad nature of this threat and the automatic nature of the fix (on all OSs the fix is on the back end) I'm surprised Microsoft said anything at all other than reminding people why it is time to update Windows XP you cheap ass bums!.

So... Can I have this in easy English without reading Microsoft Esperanto gibberish... Unless we have XP we don't need to actually read or DO anything, right?

If you have Windows 7.x or 8.x, you are good. It updates automatically, though it probably wouldn't hurt to make sure you have the latest Windows updates installed.

I'd add a qualifier there, Bob. According to the security advisory, Win7 users may be safe...

"For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2, and that do not have the automatic updater of revoked certificates installed, this update is not available. To receive this update, customers must install the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details). Customers in disconnected environments and who are running Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 can install update 2813430 to receive this update (see Microsoft Knowledge Base Article 2813430 for details)."

I posted a link to the security advisor on FB and my mom just informed me that her ESET antivirus won't allow her to access the page. WTF? An AV that blocks your OS dev's website?

 

I stand corrected. So, yes, update your PC if you don't have them already turned on.

As for the anti-virus program, I use Windows Defender only as my internet usage is limited to social, news, and school. Nothing "unbecoming" from me.

It may not. Apple and Google may have dealt with this issue without being public about it. SSL certificates are issued to websites, so Microsoft is essentially adding those particular SSL certificates to their "block" list and all of them major OSs would need to do that.

Again, I think Microsoft realizes many of their users still use XP and with XP no longer getting updates, this is another way to remind people it is time to update to 7 or 8.

Yep, this is not actually a Windows issue, but a certificate root issue (caused by NIC in India). However because these globally trusted root certificates are stored in every OS, every OS they're trusted in needs to be updated every time they're changed.

This does only affect Windows devices ! It's about an Indian CA that has given out false certificates for google.com, yahoo.com etc. Microsoft is the only vendor, that trusts this CA so only Microsoft is affected !

Just to be clear to other readers, because the article isn't quite: this is actually an issue with NIC India, not with Windows. But Windows must be updated in light of the security issues with the cert.

Yes it's certainly interesting. I don't remember any previous Microsoft security bulletin adressing a WP vulnerability.

That is the dream.... No kids yelling, no wife nagging, just me my Xbox and a stack of pizza boxes duct taped into a table with another pizza box with a pizza in it on top.

Yeah, I need Terminex for my rotten peg leg before it snaps in half while I'm on a date. That's what your talking about, right? Terminex?

Are you on crack? You should seek help. Might help you stop commenting on posts you have zero clue about. Nice try. Go polish your peg leg.

But... what are you talking about. Bing Translator app on my phone says "PervyP" (though, the Bing Translator Page says "first")

Yeah, thanks to the translator, I saw that. Is "PervyP" close to "First" in Russian or was Bing Translator just being goofy?

I believe he was being funny as most on here would have no idea what was said (myself included) and "Terminex" would fit just as easily as "butt fart" would.

Weren't Google and Yahoo certificates being spoofed recently? Microsoft isn't the problem here I think, they are just protecting their users.

Why so defensive?  Who said anything about Google or Yahoo?  The problem is bad certificates issued by a CA in India, nothing to do with Microsoft or any other company.

Another reason I love Microsoft. Looking out for its customers by notification of security issues and taking proactive steps to secure their products. Never switching again. :)

Erm. How do we update our Windows Phone 8 then? Phones don't received periodic updates like desktops?
 

I don't want to be an a-hole...but did you even read the article? He clearly states that you won't have to do anything on your phone...

"An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8 or Windows Phone 8.1. For these operating systems or devices, customers do not need to take any action because the CTL will be updated automatically."

I know smart one and I did read everything. But how does that work??? So there is also an automatic updater on windows phone for CTL? Ain't that suppose to be on MS servers? Thanks for explaining though.

So, do we need to update the IE mobile as well, perhaps with an update or something? Otherwise, how can our phones be updated, even though this article stated that we are not required to do anything?

They say that WPs are updated automatically... is the CTL stored in the cloud then? Cuz here in the US, everything MS wants to send us has to be vetted by the freakin carriers. No such thing as an automatic update.

Now I know why the IRCTC website was having trouble opening up. It said the Certificate was issued for some other site but used by it & so was getting blocked by the firewall.