Skip to main content

Microsoft issues security advisory affecting all versions of Windows, Windows Phone

Microsoft has issued a security advisory that affects users of all currently supported versions of Windows, including Windows 8, Windows Phone, and Windows RT. Though no immediate action may be required from the user on select platforms, it is important to know what is happening as it relates to the improper issuance of SSL certificates, which Microsoft says "could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks."

Admittedly, the company says that no such attacks have been confirmed as a result of improperly issued certificates by the National Informatics Centre in India. However, "to help protect customers from potentially fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue."

For most platforms, customers do not need to take any action and an automatic updater should take care of things.

An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8 or Windows Phone 8.1. For these operating systems or devices, customers do not need to take any action because the CTL will be updated automatically.For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action because the CTL will be updated automatically.

Older systems should install the automatic updater and of course to stay up to date.

Thanks, Richard, for the tip.

You can read more about the security advisory from Microsoft's site (opens in new tab).

Chuong's passion for gadgets began with the humble PDA. Since then, he has covered a range of consumer and enterprise devices, raning from smartphones to tablets, laptops to desktops and everything in between for publications like Pocketnow, Digital Trends, Wareable, Paste Magazine, and TechRadar in the past before joining the awesome team at Windows Central. Based in the San Francisco Bay Area, when not working, he likes exploring the diverse and eclectic food scene, taking short jaunts to wine country, soaking in the sun along California's coast, consuming news, and finding new hiking trails. For news tips or to connect, please message him on the Signal messaging app at +1 (424) 666-7438. 

65 Comments
  • Wow its all Windows and WP is included. WP is never included in anything its nice to see its all ONE. Even though its bad.
  • This issue would also affect iOS, OSX, Android, and Chromium. Everyone uses SSL certificates. Honestly, given the broad nature of this threat and the automatic nature of the fix (on all OSs the fix is on the back end) I'm surprised Microsoft said anything at all other than reminding people why it is time to update Windows XP you cheap ass bums!.
  • So... Can I have this in easy English without reading Microsoft Esperanto gibberish... Unless we have XP we don't need to actually read or DO anything, right?
  • If you have Windows 7.x or 8.x, you are good. It updates automatically, though it probably wouldn't hurt to make sure you have the latest Windows updates installed.
  • I'd add a qualifier there, Bob. According to the security advisory, Win7 users may be safe... "For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2, and that do not have the automatic updater of revoked certificates installed, this update is not available. To receive this update, customers must install the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details). Customers in disconnected environments and who are running Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 can install update 2813430 to receive this update (see Microsoft Knowledge Base Article 2813430 for details)." I posted a link to the security advisor on FB and my mom just informed me that her ESET antivirus won't allow her to access the page. WTF? An AV that blocks your OS dev's website?  
  • I stand corrected. So, yes, update your PC if you don't have them already turned on. As for the anti-virus program, I use Windows Defender only as my internet usage is limited to social, news, and school. Nothing "unbecoming" from me.
  • I think it applies to iOS only if they have this particular CA in their list.
  • It may not. Apple and Google may have dealt with this issue without being public about it. SSL certificates are issued to websites, so Microsoft is essentially adding those particular SSL certificates to their "block" list and all of them major OSs would need to do that. Again, I think Microsoft realizes many of their users still use XP and with XP no longer getting updates, this is another way to remind people it is time to update to 7 or 8.
  • Yep, this is not actually a Windows issue, but a certificate root issue (caused by NIC in India). However because these globally trusted root certificates are stored in every OS, every OS they're trusted in needs to be updated every time they're changed.
  • This does only affect Windows devices ! It's about an Indian CA that has given out false certificates for google.com, yahoo.com etc. Microsoft is the only vendor, that trusts this CA so only Microsoft is affected !
  • Just to be clear to other readers, because the article isn't quite: this is actually an issue with NIC India, not with Windows. But Windows must be updated in light of the security issues with the cert.
  • Yes it's certainly interesting. I don't remember any previous Microsoft security bulletin adressing a WP vulnerability.
  • I didn't get the Indian reference. Can anyone please explain it to me?
  • There's a link in this article to the TechNet page bulletin that explains it all.
  • Oh yeah, thanks!
  • Try IRCTC website & you'll know what it means to say.
  • Your life must be easy then. 
  • I hope it was ironic.
  • then you have lived a charmed life
  • That is the dream.... No kids yelling, no wife nagging, just me my Xbox and a stack of pizza boxes duct taped into a table with another pizza box with a pizza in it on top.
  • Beautiful
  • Ok
  • Первы!!
  • Даже рядом не стоял хаха
  • Yeah, I need Terminex for my rotten peg leg before it snaps in half while I'm on a date. That's what your talking about, right? Terminex?
  • Are you on crack? You should seek help. Might help you stop commenting on posts you have zero clue about. Nice try. Go polish your peg leg.
  • But... what are you talking about. Bing Translator app on my phone says "PervyP" (though, the Bing Translator Page says "first")
  • I was replying to him, saying that he wasn't even close to being first.
  • Yeah, thanks to the translator, I saw that. Is "PervyP" close to "First" in Russian or was Bing Translator just being goofy?
  • Perviy is first in Russian yes
  • Ah... okay. So it was close. Good to know. Thanks!
  • I believe he was being funny as most on here would have no idea what was said (myself included) and "Terminex" would fit just as easily as "butt fart" would.
  • Lets just all get along I'm sorry I overreached
  • Nice that it will be fixed automatically without needing a full blown, carrier approved update.
  • This
  • Lmfao. I second that.
  • Ok something's happening but we don't need to care. Thanks
  • That's what the government wants you to think.
  • Lol
  • +925
  • LOL!
  • Microsoft left the WINDOWS open and now every one is gonna be breaking in,,,,
  • Ahahaha!
  • As a tribute to 2010... "He's climbin in your Windows, snatching all your data up."
  • Weren't Google and Yahoo certificates being spoofed recently? Microsoft isn't the problem here I think, they are just protecting their users.
  • At least they are protecting me think about Google lol
  • Since a day or two ago yahoo's site login doesnt seem to be working
  • Why so defensive?  Who said anything about Google or Yahoo?  The problem is bad certificates issued by a CA in India, nothing to do with Microsoft or any other company.
  • Damn!
  • So basicly it works the same way wu agent gets updates pushed automagicly on wp
  • Another reason I love Microsoft. Looking out for its customers by notification of security issues and taking proactive steps to secure their products. Never switching again. :)
  • Yep they are improving their relationship with consumers
  • Erm. How do we update our Windows Phone 8 then? Phones don't received periodic updates like desktops?
     
  • I don't want to be an a-hole...but did you even read the article? He clearly states that you won't have to do anything on your phone...
  • "An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8 or Windows Phone 8.1. For these operating systems or devices, customers do not need to take any action because the CTL will be updated automatically." I know smart one and I did read everything. But how does that work??? So there is also an automatic updater on windows phone for CTL? Ain't that suppose to be on MS servers? Thanks for explaining though.
  • It's just how the system works ;) internet explorer stores the CRL locally
  • So, do we need to update the IE mobile as well, perhaps with an update or something? Otherwise, how can our phones be updated, even though this article stated that we are not required to do anything?
  • They say that WPs are updated automatically... is the CTL stored in the cloud then? Cuz here in the US, everything MS wants to send us has to be vetted by the freakin carriers. No such thing as an automatic update.
  • Most likely an emergancy update
  • So what do we do?? Is there an update rolling out soon?
  • My guess is wp8 calls home every 24hrs like every other system feature that does daily syncs
  • I really like the Microsoft's policies.
  • I remember the second ever update to Windows Phone had something to do with certificates and security... Ah, memories. =]
  • I guess this is one advantage/disadvantage of the universal Windows OS.
  • Now I know why the IRCTC website was having trouble opening up. It said the Certificate was issued for some other site but used by it & so was getting blocked by the firewall.