Critical Out-of-Band Microsoft Update Released to Protect Customers from Invalid Certificates

Microsoft today has issued a critical update for pretty much all versions of Windows, and also Microsoft devices running Windows Phone 8 and 8.1.

The critical issue the emergency update addresses is the issuance of improper and unsecure SSL certificates from the National Informatics Centre (NIC).

Per Microsoft...

These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Web properties. The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.

What to do…

Latest Windows versions: Those computers running Microsoft's latest versions of Windows (Windows 8.x, Windows Server 2012.x, and Windows Phone 8.x) have an automatic updater built into the OS that enables automated revocation of certificates. The update will happen automatically.

Windows Vista through Windows Server 2008: Windows Vista, Windows 7, and Windows Server 2008.x must have the automatic updater installed. If it's already installed, then Certificate Trust List (CTL) will be update automatically. However, if it's not installed, you can get it HERE or the updated CTL for disconnected environments HERE.

If you're running Windows Server 2003, there is currently no update available, however, Microsoft is working on one. And, of course, no update will be provided for Windows XP.

A security advisory is now live in the Knowledge Base here: Microsoft security advisory: Improperly issued digital certificates could allow spoofing

…and, in the Security TechCenter here: Improperly Issued Digital Certificates Could Allow Spoofing

Interestingly enough, the sites most affected by this issue are hosted by Google and Yahoo.