Microsoft Blacklists Fake CertificateBut Experts Warn Phishing, Malware Risks Continue
Microsoft has issued a warning that a fraudulent SSL digital certificate has been issued in the name of a Finnish version of its Windows Live service. Although the company says it has revoked the certificate, security experts warn that older software may continue to "trust" the known bad certificate for months or even years, and that attackers could use it to trick users into running malware.
"Microsoft is aware of an improperly issued SSL certificate for the domain 'live.fi' that could be used in attempts to spoof content, perform phishing attacks or perform man-in-the-middle attacks," Microsoft says in a March 16 security alert. "It cannot be used to issue other certificates, impersonate other domains or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue."
The domain "live" refers to the Windows Live service, a discontinued brand of Web services and software from Microsoft. As with its MSN and Hotmail brands, Microsoft formerly offered email addresses with the "live" domain. But according to Sean Sullivan, a security advisor at Finnish anti-virus firm F-Secure, Microsoft now appears to be encouraging users to register with one of its "outlook" domains.
Security researchers have long warned that when attackers get access to legitimate digital certificates, they can disguise malware as legitimate software, thus making it more likely that they can trick end users into installing it.
Thankfully in this case, the Live.fi certificate was reportedly issued to an unnamed man in Finland, who says he attempted to alert both Finnish authorities and Microsoft officials to the problem. "I noticed the other day that Microsoft's new email service allows you to make a number of aliases, or alternate email addresses to the same account," he tells reports Finnish IT magazine Tivi. "I tried, just for fun, to see if I could create a ... domain-holder address," referring to an email address that would appear to be owned by whoever owned the domain.
In fact, he reports that he was able to register the alias "Hostmaster@live.fi", which he then used to obtain a legitimate HTTPS certificate for Live.fi via Comodo, which is the world's largest digital certificate authority.
In response to a request for comment on that report, a spokesman for Comodo said that the company "immediately revoked the unauthorized certificate related to the live.fi domain." But it declined to comment on whether it would revisit its certificate-issuing safeguards. According to the company's domain control validation guidelines, its automated system will send a unique validation code - which can be used to register a certificate for that domain - to any of the following email addresses at a domain:
Theoretically, however, only admin-level employees at a company should have access to those addresses. Indeed, Microsoft's related security alert notes: "An email account was able to be registered for the live.fi domain using a privileged username, which was subsequently used to request an unauthorized certificate for that domain." In other words, "it sounds like it was Microsoft's fault rather than Comodo's," Paul Mutton, an information security expert at Internet services firm Netcraft, tells Information Security Media Group." The certificate was 'domain-validated' which means that the applicant only had to prove to Comodo that he/she had control of the live.fi domain."
Domain-validated certificates are the easiest type of SSL certificate to obtain. "Other types of certificates, such as organization-validated and extended validation certificates, involve additional checks before they can be issued," Mutton says. "Fraudulently obtaining [this type of] cert would be an awful lot harder." But from a hacker's point of view, domain-validated certificates would still work for many types of attacks.
The Finnish man who claims to have registered the fraudulent certificate - he is not named in the Tivi report - says he alerted the Finnish Communications Regulatory Authority to the problem in January, but that it wasn't resolved. So he then attempted to inform multiple staff members at Microsoft, again receiving no response. But he says that when Microsoft deactivated his main Live.fi account on March 12 - which led to the freezing of his Xbox account, eliminating the ability to access emails via his Live.fi address, as well as much of the functionality of his Lumia phone - he suspected Microsoft officials finally realized there was a problem.
Microsoft did not immediately respond to a request for comment about the report or about the best mechanism for reporting these types of security vulnerabilities.
Windows: Some Automatic Revocation
The company says it has now added the fraudulent Live.fi certificate to Windows blacklists. "To help protect customers from potentially fraudulent use of this digital certificate, it has been revoked by the issuing CA and Microsoft is updating the certificate trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue," it says in its security alert.
There's an optional automatic updater for revoked certificates in Windows 8, 8.1, RT, and RT 8.1; Windows Server 2012 and 2012 R2; and for mobile devices that run Windows Phone 8 and Windows Phone 8.1, Microsoft notes. "For these operating systems and devices, customers do not need to take any action as these systems and devices will be automatically protected," the company says. Likewise, Windows Vista, 7, Windows Server 2008, and Windows Server 2008 R2 have an optional automatic updater which will revoke the certificates.
But for anyone who didn't install the automatic updater for revoked certificates, or who is running Windows Server 2003, Microsoft recommends immediately updating Windows via its Microsoft Update service or by downloading and applying related updates manually.
Certificates: Tough to Kill
One ongoing challenge with fraudulently issued certificates, however, is that they're tough to kill. "Certificate Revocation Lists and OCSP - Online Certificate Status Protocol - are the two main mechanisms to 'recall' a bad certificate, and they still don't work all the time," Johannes Ullrich, dean of research for the SANS Institute, tells ISMG.
For example, if a connection cannot be established with one of the certificate-checking mechanisms - for example if access is being blocked by malware or man-in-the-middle attacks - the browser will still allow the HTTPS session to proceed, in case the network problem is benign, according to a 2013 blog post from Netcraft. Likewise, so long as a certificate has yet to expire, it may be treated as valid, even if it's been revoked. "Even with the most secure browser, the most frequent users of a secure website may be able to continue using a website for weeks or months despite one of the certificates in the chain of trust having been revoked," it says.
Unfortunately, little has changed in the past two years, Netcraft's Mutton reports. "Killing bad certs is still difficult, in practice. Rather than relying solely on the existing revocation mechanisms, it is not unusual to see browser vendors making whole new releases in order to ensure that the compromised - or fraudulently issued - certs are no longer trusted," he says. "In the worst case, it could remain trusted by older browser software for months or years."
Ullrich says this "sad" state of SSL digital certificate affairs needs to be "patched up" by the certificate-authority community. "The social and political vulnerabilities of the CA system are far more severe then the technical issues like FREAK or POODLE," he says. "Sadly, users can do little to fix that. Google has an interesting proposal to implement certificate transparency, which may help, but it has found little support among certificate authorities so far."