Improperly Issued Digital Certificates - Microsoft Security Advisory 2916652

Number: AV13-044
Date: 13 December 2013

Purpose

The purpose of this advisory is to bring attention to the Microsoft Security Advisory 2916652 concerning improperly issued digital certificates.

Assessment

Microsoft issued an advisory on December 9, 2013, about an improperly issued subordinate CA certificate. This digital certificate has been misused to issue SSL certificates for multiples sites. These can then be used by attackers to perform phishing attacks, spoof content, and conduct other types of malicious activity. Microsoft is not currently aware of any attacks related to this issue.

Suggested action

CCIRC recommends that system administrators test and deploy these updates accordingly at the earliest opportunity.

For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action as these systems will be automatically protected.

For customers running Windows XP, Windows Server 2003 or for customers who choose not to install the automatic updater of revoked certificates, Microsoft recommends that the 2917500 update be applied.

References:

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: