"These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Web properties," a Microsoft advisory warned. "The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks."
Today, Microsoft has issued an emergency update for almost all versions of Windows and also for Microsoft devices running Windows Phone 8 and 8.1 to secure users from attacks that abuse the latest issued rogue SSL certificates, which could be used to impersonate Google and Yahoo! websites.
A week after the search engine giant Google spotted and blocked unauthorized digital certificates for a number of its domains that could result in a potentially serious security and privacy threat, Microsoft has responded back to block the bogus certificates from being used on its software as well.
"Today, we are updating the Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of mis-issued third-party digital certificates," said Dustin Childs, group manager of response communications.
The fake digital certificates, issued by the National Informatics Centre (NIC) of India - a unit of India's Ministry of Communications and Information Technology, were uncovered at the beginning of this month by Google's security team.
Microsoft officials warned the country's certification authorities as well as Microsoft, because the certificates issued by NIC are included in the Microsoft Root Store and so are trusted by a large number of applications running on Windows, including Internet Explorer and Chrome.
Yet, Microsoft is not aware of any kind of attack leveraging this issue, but millions of websites operated by banks, e-commerce companies and other types of online services make use of such kind of cryptographic credentials to encrypt the web traffic and prove the authenticity of their servers.
The Certificate Trust list (CTL) update has been rolled out to all users who have automatic updates enabled, and for those who do not have the automatic updater of revoked certificates installed, Microsoft has released a patch that can be manually installed.
The emergency update addresses all Microsoft PC operating systems including Windows Vista, Windows version 8, 8.1, RT, RT 8.1, Server 2012, Server 2012 R2, and its Windows Phone 8 software. At this moment, there is no update available for systems running Windows Server 2003 to revoke the fraudulent certificates – Microsoft says it will issue an update as soon as one becomes available. Also Server 2003 support ends next year, but the company will provide a fix before then.