Comodo Fraudulent Digital Certificates Spoofing Vulnerabiliity
RISK: Medium Risk
TYPE: Clients - Browsers
It is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. Other products (including all web browsers) using digital certificates may also be affected. Comodo advised that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all web browser users.
These certificates affect the following Web properties:
- login.live.com
- mail.google.com
- www.google.com
- login.yahoo.com (3 certificates)
- login.skype.com
- addons.mozilla.org
- "Global Trustee"
Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.
Impact
- Spoofing
System / Technologies affected
- Products (including all web browsers) using digital certificates
- Windows XP
- Windows Server 2003
- Windows Vista
- Windows Server 2008
- Windows 7
- Windows Server 2008 R2
- Internet Explorer
- Mozilla Firefox
- Mozilla SeaMonkey
- Google Chrome
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- Updates for Windows (including Internet Explorer)
http://support.microsoft.com/kb/2524375 - Upgrade to Mozilla Firefox version 3.6.16 or 3.5.18 :
http://www.mozilla.com/firefox/ - Upgrade to Mozilla SeaMonkey version 2.0.13 :
http://www.mozilla.org/projects/seamonkey/
- Upgrade to Google Chrome version 10.0.648.151
http://www.google.com/chrome - Currently, it is not aware of any vendor-supplied patch for other products
Vulnerability Identifier
- No CVE information is available
Source
Related Link
- http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/
- http://www.microsoft.com/technet/security/advisory/2524375.mspx
- http://support.microsoft.com/kb/2524375
- http://www.vupen.com/english/advisories/2011/0733
- http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/
- http://googlechromereleases.blogspot.com/2011/03/stable-and-beta-channel-updates_17.html
Share with