Microsoft blacklists spoofed Windows Live SSL certificate
Microsoft has issued a security advisory (3046310) entitled 'Improperly issued digital certificates could allow spoofing', which warns of the dangers of spoofed Windows Live SSL certificates, and how they could have potentially been used in a Man-in-the-Middle attack.
The advisory states: "Microsoft is aware of an improperly issued SSL certificate for the domain 'live.fi' that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks," the company said, adding that, “It cannot be used to issue other certificates, impersonate other domains, or sign code."
The bogus certificate was reportedly issued due to a misconfigured privileged email account on Microsoft's live.fi web property, the Finnish version of its online services.
Earlier today the OpenSSL project team announced the forthcoming release of versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf to be made available on Thursday 19 March to patch a ‘high severity' flaw.
And last week Microsoft was criticised for the late issuance of its security advisory that, Windows users should be wary of the possibility of a Freak attack, whereby a vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The developments have added to concerns that SSL is not providing the security expected, with the Poodle bug exploiting a flaw in the ageing SSL 3.0 protocol used to encrypt traffic between websites and users, and then a newer variant hitting the more modern TLS (Transaction Layer Security).
Separately, Microsoft announced that Windows 10 will provide versions of Windows for wide range of IoT devices, under the Windows 10 IoT brand. Windows 10 IoT is also claimed to bring enterprise-grade security from the device to the cloud and native connectivity for machine-to-machine and machine-to-cloud scenarios with Azure IoT services. Windows 10 IoT will offer one Windows platform with universal applications and driver models that will span devices from controllers such as IoT gateways to powerful devices such as ATMs and industrial robotics.