Microsoft is scrambling to block a fraudulent HTTPS certificate that was issued for one of the company's Windows Live Web addresses lest it be used by attackers to mount convincing man-in-the-middle attacks.
The phony Transport Layer Security/Secure Sockets Layer certificate was issued for live.fi and www.live.fi, which are addresses Microsoft reserves for its Windows Live services. The sensitive credential has already been revoked by Comodo, the browser-trusted certificate authority that issued it. But given the ease of defeating the current SSL revocation regimen, attackers may still be able to maliciously use the certificate against unsuspecting end users.
"The purpose of this advisory is to notify customers that an SSL digital certificate was improperly issued," Microsoft officials warned late Monday. "This SSL certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Microsoft web properties. It cannot be used to issue other certificates, impersonate other domains, or sign code."