SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows DLL (Any) Vendors:   Microsoft
Microsoft Windows Includes An Invalid Certificate
SecurityTracker Alert ID:  1029445
SecurityTracker URL:  http://securitytracker.com/id/1029445
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Dec 13 2013
Original Entry Date:  Dec 9 2013
Impact:   Modification of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): XP SP3, 2003 SP2, Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1, 8, 8.1, 2012, 2012 R2; and prior service packs
Description:   A vulnerability was reported in Microsoft Windows. A remote user may be able to spoof SSL certificates.

The operating system includes an invalid subordinate certificate issued by Directorate General of the Treasury (DG Tresor), subordinate to the Government of France CA (ANSSI).

The invalid certificate and its thumbprint is:

AC DG Tresor SSL: 5c e3 39 46 5f 41 a1 e4 23 14 9f 65 54 40 95 40 4d e6 eb e2

Unauthorized digital certificates derived from this certificate authority are being actively used in attacks against various Google domains.

The vulnerability is due to the certificate authority and not the operating system itself.

Adam Langley and the Google Chrome Security Team reported this vulnerability.

Impact:   A remote user may be able to spoof SSL certificates.
Solution:   The vendor has issued a fix, available via automatic update for Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows Phone 8.

The vendor has issued a fix for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems that use the automatic updater of revoked certificates (see KB2677070).

For Windows XP or Windows Server 2003, the vendor recommends applying update 2917500).

The vendor's advisory is available at:

http://technet.microsoft.com/en-us/security/advisory/2916652

Vendor URL:  technet.microsoft.com/en-us/security/advisory/2916652 (Links to External Site)
Cause:   Configuration error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC