ID: IRCNE2013122039
Date: 2013-12-10
According to "zdnet", Microsoft has issued an advisory for the unauthorized SSL certificate issuance reported yesterday by Google.
The security advisory from Microsoft states that SSL certificates had been issued "...for multiple sites, including Google web properties." So it appears the incident is not limited to Google.
The certificates were issued using an improper intermediate certificate authority certificate which itself was issued by the Directorate General of the Treasury (DG Trésor), which is subordinate to the Government of France CA (ANSSI). ANSSI is a CA present in the Trusted Root Certification Authorities Store and thus all subordinate certificates are trusted.
In response, Microsoft is updating their Certificate Trust List (CTL) for all supported released of Windows to remove "... to remove the trust of certificates that are causing this issue."
Microsoft says that devices running supported editions of Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows Phone 8 automatically update revoked certificates An installable version of this tool for versions of Windows prior to Windows 8 — but not Windows XP or Windows Server 2003 — is available from Microsoft.
- 2