Microsoft zaps bogus SSL certs with emergency patch 2982792

Security Advisory 2982792 revokes fake SSL certs for Windows 8/8.1/RT/Server 2012, but for Windows 7/Server 2008 the situation not as clear

Yesterday, Dustin Childs at the Microsoft Security Response Center advised that Microsoft is revoking "improperly issued" SSL certificates for Google sites and others. According to Security Advisory 2982792, the 45 bogus certificates were issued by the National Informatics Centre, which works under the root Certificate Authority of the Government of India Controller of Certifying Authorities.

More troubling, the subordinate CAs could be used -- indeed, may have already been used -- to issue even more bad certificates. Apparently, the folks at Google caught the bad certs, and Yahoo is also affected.

Dan Goodin at Ars Technica explains:

The unscheduled update will hardwire the revocation of these specific certificates directly into Windows, a measure that prevents attackers from bypassing real-time certificate verification checks performed by the online certificate status protocol.

If you're using Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Phone 8, or Windows Phone 8.1, you don't have to do a thing. Your system looks for cert revocations once a day and automatically absorbs them into your machine's Certificate Trust List.

If you're using Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2, you may or may not be protected automatically. Back in June 2012, Microsoft released a Windows patch that installs the automatic cert scanner. It's known as KB 2677070. There are two oddities with the patch.

First, installing KB 2677070 can create all sorts of problems if your computer isn't connected to the Internet. If you download the installer from the KB 2677070 Web page, then take that file to another machine and install it, the newly updated machine may encounter issues unless it's connected to the Internet immediately when the machine is rebooted. Naz Parker has a partial list of sobering warnings.

Second, if you scan your list of installed patches you may or may not see KB 2677070 listed. The only way I've found to tell if you have the automatic cert revoker installed is to try to install KB 2677070 from the website. If the installer throws off the error message, "The update is not applicable to your computer," you already have the automatic cert revoker installed.

Considering the number of certs being revoked these days, you should check to make sure the automatic cert revoker is installed.

This story, "Microsoft zaps bogus SSL certs with emergency patch 2982792," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies