Microsoft has issued a emergency update for its Windows operating system to protect systems against the recent counterfeit encryption certificates that came out of the National Infomatics Centre (NIC) of India. These certificates were spotted earlier in the week and appear to spoof credentials from Google and Yahoo. This update revokes access for the certificates, preventing hackers from using them to commit attacks against internet users.
Attackers had earlier managed to gain access to the NIC and generate compromised SSL certificates. Many systems that include governments, banks, and e-commerce sites use these certificates to determine the authenticity of the website in question. A faked SSL certificate would allow hackers to redirect traffic to their own servers without the user being aware that anything has gone wrong.
Most computers running later versions of Windows should receive the update automatically, although it wouldn’t hurt to check just in case. It is highly recommended that this security update be installed as the spoofed certificates are capable of fooling many Windows applications, and not only web browsers.
In the case of browsers, only Internet Explorer is currently vulnerable to the issue. Google Chrome is currently immune to the problem as it only allows certificates limited to the .in top level domain. Other operating systems and browsers are similarly not affected as they do not trust these kinds of SSL certificates to begin with.
[Source: Ars Technica]
