Microsoft, Google Revoke Fraudulent Certificates, Issue Advisories


Microsoft and Google are revoking fraudulent digital certificates, warning that they could be used by an attacker to impersonate Google websites. Meanwhile, Microsoft prepares for its first Patch Tuesday of the year.

In its security advisory, Microsoft said TurkTrust Inc., a Turkish certificate authority, mistakenly created two subsidiary CAs, one of which was used for the Google.com domain.

"This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties," Microsoft said in its advisory.

[Related: Certificate Authority GlobalSign Restores SSL Certifications Following Investigation]

The certificate revocation affects all supported releases of Windows.

Google also took action, issuing an automated update to its Chrome browser to block the two subsidiary CAs. Adam Langley, a software engineer at Google, said the two certificates may have been issued in 2011. Google took action to revoke the certificates on Dec. 25.

"Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TURKTRUST, though connections to TURKTRUST-validated HTTPS servers may continue to be allowed," Langley wrote in a >blog entry addressing the issue.

Microsoft said it would issue an update fixing critical server vulnerabilities in SharePoint and Groove Server 2007.
In its Advance Notification, Microsoft said it would address 12 vulnerabilities across its product portfolio.

The company said it plans to issue seven bulletins, two rated critical and five rated important. The critical updates affect Microsoft Windows, Office, Developer Tools and Microsoft Server software.

Patching administrators may need to make the critical server update a priority said Ross Barrett, senior manager, security engineering at Boston-based vulnerability management vendor Rapid7. The issue could potentially be a worm-able bug, Barrett said.

The Patch Tuesday update is scheduled for Jan. 8 at 1 p.m. EST.

Absent from the security update next week is a patch for the Internet Explorer zero-day vulnerability, which is being actively targeted by attackers in the wild. The remote execution vulnerability, which affects Internet Explorer 6, 7 and 8, was addressed with a temporary automated workaround issued Wednesday.

PUBLISHED JAN. 3, 2013