Microsoft warns: Fraudulent digital certificates issued for high-value

[Borg 386]

Microsoft today warned that Comodo has issued nine fraudulent digital certificates to a third party whose identity could not be sufficiently validated, a scenario that could allow attackers to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web surfers.

According to the Microsoft advisory, the fraudulent Web certificates affect the Microsoft Live service, Google’s mail system, Yahoo and Skype log-ins.

• login.live.com
• mail.google.com
• Google
• login.yahoo.com (3 certificates)
• login.skype.com
• addons.mozilla.org
• “Global Trustee”

The fact that valid HTTPS certificates for high-value web sites were issued to attackers is a worrying development (see essay from the Tor Project), especially since Comodo is a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows.

Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.

UPDATE: Attack originated in Iran
Comodo has published a blog post and an incident report with a claim that the attack originated from IP addresses in Iran.

“The attacker was well prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs for these certificates and submit the orders to our system so that the certificates would be produced and made available to him,” Comodo said.

Read More:


Microsoft warns: Fraudulent digital certificates issued for high-value websites | ZDNet

EDIT: An update is available for all supported versions of Windows to help address this issue. For more information about this update, see Microsoft Knowledge Base Article 2524375.

 

[Maguscreed]

Ouch, comodo seems to have really dropped the ball on that one.

 

[Wallonn7]

Thank you for valuable information!

 

[mckillwashere]

I can honesty see this becoming more prevalent in the coming years.

 

[Fayla]

Incidents like this really dent my trust in these apparently respectable third party companies. I'll probably end up only being able to trust Microsoft and its security software when dealing with the Window's OS.

 

[Maguscreed]

I lost my trust in comodo years ago, when I put it on three completely different systems and it immediately rendered all of them bsod making piles of garbage until I scrubbed it back off again.

It's quite possible MS will cut them off after this anyhow. It represents a serious problem for people using IE because of the way it handles sites presenting a proper certificate.

 

[Fayla]

I didn't know about Comodo until I seen people recommending it here. Because of those recommendations I installed their firewall, but I found it to be over complicated in some areas and it was crashing some of the programs I use for work I restored a full system image to make sure that all of the HIPS hooks it probably installed into the kernel were gone.

In a way these developments are interesting, as Microsoft is being taken more serious in regards to security and protecting its end users. And it is all of those third party companies-- Sun with its Java, Adobe with its Flash/Reader and now Comodo being seen as the bad guys

I lost my trust in comodo years ago, when I put it on three completely different systems and it immediately rendered all of them bsod making piles of garbage until I scrubbed it back off again.

It's quite possible MS will cut them off after this anyhow. It represents a serious problem for people using IE because of the way it handles sites presenting a proper certificate.

 

[Layback Bear]

Years ago on more than one forum I mentioned it was about time Microsoft got more serious about security because they had the money and personal to do the job. They were in the position to work with countries and industry to get the job done. I must say they have taken the ball and run with it. I think they are doing a upstanding job. Finding and repairing security problems. Helping shut down Botnets, torrents, ect.

 

[Maguscreed]

Years ago on more than one forum I mentioned it was about time Microsoft got more serious about security because they had the money and personal to do the job. They were in the position to work with countries and industry to get the job done. I must say they have taken the ball and run with it. I think they are doing a upstanding job. Finding and repairing security problems. Helping shut down Botnets, torrents, ect.

I agree with everything there but one item.

I don't think torrents are inherently bad, even though people use them for illegal purposes, they have their legitimate place as does all p2p. P2P represents a great method for sharing of free, open source, and creative commons materials.

The real problem is the people in charge of the torrent sites tend to not really care what they are hosting as long as they are making money off their ads and what not.

I'm not for demonizing the entire concept of p2p because of it though. People freaked out a long time ago over a similar device that allowed people access to information on a unheard of scale. It was called the printing press.

 

[SIW2]

That's odd - WU said it was up to date - but didn't have that update.

 

[Wallonn7]

That's odd - WU said it was up to date - but didn't have that update.

It was released the update (KB2524375) via Windows Update ...

 

[jav]

If anyone is interested on more details:

https://blog.torproject.org/blog/de...thority-compromises-and-web-browser-collusion

 

[jav]

The person who claims to be responsible for hacking:

ComodoHacker's Pastebin - Pastebin.com

And proof verification of it from pen-testers at Errata Security:
Errata Security: Verifying the Comodo Hacker's key

 

[mckillwashere]

He sounds a lil too cocky. Ill say hes caught in two months.

 

[malexous]

...
Two additional Registration Authorities, or RAs, that resell digital certificates for Comodo have been compromised, in addition to the original RA breached a week ago, Comodo said yesterday.

"Two further RA accounts have since been compromised and had RA privileges withdrawn," Robin Alden, chief technology officer at Jersey City, N.J.-based Comodo, wrote in a post on a Mozilla Developer security policy Google Groups thread. "No further mis-issued certificates have resulted from those compromises."
...

Comodo: Web attack broader than initially thought | InSecurity Complex - CNET News

 

[Phone Man]

Comodo's first mistake was to outsource the selling of certificates to 3rd party companies whose security sucks. If Comodo had any sense they should do this in house where they can better protect their own systems. Or maybe Comodo's security also sucks.

Jim