SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows DLL (Any) Vendors:   Microsoft
Microsoft Windows Includes Some Invalid TURKTRUST Certificates
SecurityTracker Alert ID:  1027934
SecurityTracker URL:  http://securitytracker.com/id/1027934
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 3 2013
Impact:   Modification of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): XP SP3, 2003 SP2, Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1, 8, 2012, RT; and prior service packs
Description:   A vulnerability was reported in Microsoft Windows. A remote user may be able to spoof sites.

The operating system includes some invalid certificates. The vulnerability is due to the invalid certificates and not the operating system itself.

TURKTRUST Inc. incorrectly created two subsidiary certificate authorities (CAs) ('*.EGO.GOV.TR' and 'e-islem.kktcmerkezbankasi.org') as end-entity certs and without CRL or OCSP extensions. The '*.EGO.GOV.TR' subsidiary CA was then used to issue a fraudulent digital certificate for '*.google.com'.

A fraudulent digital certificate has been actively used in attacks against several Google web domains.

Windows Phone 8 is also affected.

Adam Langley and the Google Chrome Security Team reported this vulnerability.

Impact:   A remote user may be able to spoof sites.
Solution:   The vendor has issued a fix that revokes the affected CA certificates, available at:

http://support.microsoft.com/kb/2798897

Systems configured with the automatic updater of revoked certificates do not need to apply a fix.

The vendor's advisory is available at:

http://technet.microsoft.com/en-us/security/advisory/2798897

Vendor URL:  technet.microsoft.com/en-us/security/advisory/2798897 (Links to External Site)
Cause:   Configuration error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC