Microsoft has issued an emergency update for most supported versions of Windows to prevent attacks that abuse recently issued digital certificates impersonating Google and Yahoo. Company officials warned undiscovered fraudulent credentials for other domains may still be in the wild.
Thursday's unscheduled update effectively blocks highly sensitive secure sockets layer (SSL) certificates covering 45 domains that hackers managed to generate after compromising systems operated by the National Informatics Centre (NIC) of India. That's an intermediate certificate authority (CA) whose certificates were automatically trusted by all supported versions of Windows. Millions of sites operated by banks, e-commerce companies, and other types of online services use such cryptographic credentials to encrypt data passing over the open Internet and to prove the authenticity of their servers. As Ars explained Wednesday, the counterfeit certificates pose a risk to Windows users accessing SSL-protected sections of Google, Yahoo, and any other affected domains.
"These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Web properties," a Microsoft advisory warned. "The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks."