Microsoft is rushing to fix an improperly issued SSL certificate for the live.fi domain, having warned users of the flaw in a threat advisory. The firm stated it has yet to see any evidence that hackers are actively exploiting the flaw.
“Microsoft is aware of an ‘improperly issued SSL certificate’ for the domain live.fi that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks,” read the advisory.
“This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.”
The advisory said Microsoft has already taken early defensive measures to protect users.
“To help protect customers from potentially fraudulent use of this digital certificate, it has been revoked by the issuing CA and Microsoft is updating the certificate trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue,” read the advisory.
Security experts have expressed concerns about the bogus certificate, despite Microsoft’s assurances.
Tenable Network Security technical director Gavin Millard told V3 the certificate could be used for a variety of nefarious purposes.
“The valid certificate would enable an attacker to create fake versions of the affected website, fooling users into thinking they are communicating with the real site without any SSL warnings being thrown up by the browser, giving the attacker the ability to swipe login details or decrypt other communications,” he said.
ESET security specialist Mark James agreed, arguing the news is a stark reminder of the need for robust update cycles.
“We always talk about the safety of SSL certificates and the trust that goes with them – in this instance that trust could be used to deliver malware,” he said.
“There are many ways to protect yourself but keeping your operating systems up to date is one of the most important. By doing this any revoked certificates will be updated and you will be much better protected.”
F-Secure security adviser Sean Sullivan went a stage further, listing the advisory as proof that certificate processes are currently inadequate.
“This is another example of how the trusted certificate authority process is currently full of flaws, and with no good fixes on the horizon either, folks need to be wary of this type of thing repeating itself,” he said.
Bogus certificates are an ongoing issue facing businesses and have been used by hackers for a variety of purposes.
Greatfire.org reported seeing a surveillence campaign targeting Outlook users using a bogus certificate in China in January.