Bad Comodo Certificates

Oh my! Finally caught in the act?

 

Microsoft Security Advisory (2524375) Fraudulent Digital Certificates Could Allow Spoofing

Published: March 23, 2011

Version: 1.0

 

General Information

 Executive Summary

 

Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.

 

These certificates affect the following Web properties:

 

login.live.com

mail.google.com

www.google.com

login.yahoo.com (3 certificates)

login.skype.com

addons.mozilla.org

"Global Trustee"

 

Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.

 

An update is available for all supported versions of Windows to help address this issue. For more information about this update, see Microsoft Knowledge Base Article 2524375.

 

Typically, no action is required of customers to install this update, because the majority of customers have automatic updating enabled and this update will be downloaded and installed automatically. For more information, including how to manually install this update, see the Suggested Actions section of this advisory.

All the more reason to lock down NIS 2011 generated default rule for Windows Explorer.

 

I have had two suspicous connections from Win Explorer to certficate sites. The first one came from the installer of an updated NIC driver I downloaded from the RealTec site. It was to URL csc3-2009-2-crl.versign.com IP 199.7.51.190. The URL is legit; a Verisgn cert. site. But that IP is associated with all kinds of nasty stuff. The combo of that URL plus IP address yields web search malware alerts up the wazoo.

 

The next cert. connection came from URL crl.miscrosoft.com IP 63.235.36.224. I allowed that but now worry about it. A Robo mapping to that URL shows an interesting mapping. One branch goes to Microsoft servers but the rest do not.

 

Personally, I know of no reason why Win Explorer should be connecting to any cert. authority?

Oh my! Finally caught in the act?

 

Microsoft Security Advisory (2524375) Fraudulent Digital Certificates Could Allow Spoofing

Published: March 23, 2011

Version: 1.0

 

General Information

 Executive Summary

 

Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.

 

These certificates affect the following Web properties:

 

login.live.com

mail.google.com

www.google.com

login.yahoo.com (3 certificates)

login.skype.com

addons.mozilla.org

"Global Trustee"

 

Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.

 

An update is available for all supported versions of Windows to help address this issue. For more information about this update, see Microsoft Knowledge Base Article 2524375.

 

Typically, no action is required of customers to install this update, because the majority of customers have automatic updating enabled and this update will be downloaded and installed automatically. For more information, including how to manually install this update, see the Suggested Actions section of this advisory.

Hi donziehm-

 

Explorer likely connects to CA servers either for CRL download or OCSP certificate status check.

 

If you are interested, here are some wikipedia articles on these topics:

 

http://en.wikipedia.org/wiki/Certificate_revocation_list

http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

 

I could see that for bogus certs, they could provide information to bogus CRL and OCSP servers, but the ones you described are based on verisign.com and microsoft.com domains.  To override CRL and OCSP information from them, some type of secondary network redirection would have to be done beyond delivery of the bogus certs to your browser.

 

Thanks,

 

Matt Powers

Symantec Corp.

Check this out: http://threatexpert.com/report.aspx?md5=25eaea0e567807ee740eb75b141f3ca2

That's OLD,  I installed one on my PC months and months ago with that Winrar installer.

 

Quads

I give up.

More hot water for Comodo, on news of two additional compromised accounts:

 

http://www.eweek.com/c/a/Security/Comodo-Inspires-No-Confidence-as-Hacker-Compromises-Two-More-Accounts-454549/

Well, Comodo has had a few past "integreity" issues with their certs. Such as questionable cert. issuing to outfits with reputations for being spammers and spyers. Hell, when your business model is issuing certs. you have to make money somehow ......................

 

 


donziehm wrote:

Well, Comodo has had a few past "integreity" issues with their certs.


Yes, they have.

 

Their Comodo username/password was: user: gtadmin password: globaltrust
Their DB name was: globaltrust and instantsslcms    :smileysurprised:

 

 

Thanks, Jive, for that link to F-Secure. Good info.

 

tin