Microsoft Security Advisory (2524375) Fraudulent Digital Certificates Could Allow Spoofing
Published: March 23, 2011
Version: 1.0
General Information
Executive Summary
Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.
These certificates affect the following Web properties:
Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.
An update is available for all supported versions of Windows to help address this issue. For more information about this update, see Microsoft Knowledge Base Article 2524375.
Typically, no action is required of customers to install this update, because the majority of customers have automatic updating enabled and this update will be downloaded and installed automatically. For more information, including how to manually install this update, see the Suggested Actions section of this advisory.
All the more reason to lock down NIS 2011 generated default rule for Windows Explorer.
I have had two suspicous connections from Win Explorer to certficate sites. The first one came from the installer of an updated NIC driver I downloaded from the RealTec site. It was to URL csc3-2009-2-crl.versign.com IP 199.7.51.190. The URL is legit; a Verisgn cert. site. But that IP is associated with all kinds of nasty stuff. The combo of that URL plus IP address yields web search malware alerts up the wazoo.
The next cert. connection came from URL crl.miscrosoft.com IP 63.235.36.224. I allowed that but now worry about it. A Robo mapping to that URL shows an interesting mapping. One branch goes to Microsoft servers but the rest do not.
Personally, I know of no reason why Win Explorer should be connecting to any cert. authority?
Microsoft Security Advisory (2524375) Fraudulent Digital Certificates Could Allow Spoofing
Published: March 23, 2011
Version: 1.0
General Information
Executive Summary
Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.
These certificates affect the following Web properties:
Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.
An update is available for all supported versions of Windows to help address this issue. For more information about this update, see Microsoft Knowledge Base Article 2524375.
Typically, no action is required of customers to install this update, because the majority of customers have automatic updating enabled and this update will be downloaded and installed automatically. For more information, including how to manually install this update, see the Suggested Actions section of this advisory.
I could see that for bogus certs, they could provide information to bogus CRL and OCSP servers, but the ones you described are based on verisign.com and microsoft.com domains. To override CRL and OCSP information from them, some type of secondary network redirection would have to be done beyond delivery of the bogus certs to your browser.
Well, Comodo has had a few past "integreity" issues with their certs. Such as questionable cert. issuing to outfits with reputations for being spammers and spyers. Hell, when your business model is issuing certs. you have to make money somehow ......................