Microsoft Windows Includes An Invalid Certificate Vulnerability
RISK: High Risk
TYPE: Operating Systems - Windows OS
A vulnerability was reported in Microsoft Windows. A remote user may be able to spoof SSL certificates.
The operating system includes an invalid subordinate certificate issued by Directorate General of the Treasury (DG Tresor), subordinate to the Government of France CA (ANSSI).
The invalid certificate and its thumbprint is: AC DG Tresor SSL: 5c e3 39 46 5f 41 a1 e4 23 14 9f 65 54 40 95 40 4d e6 eb e2
Unauthorized digital certificates derived from this certificate authority are being actively used in attacks against various Google domains.
The vulnerability is due to the certificate authority and not the operating system itself.
Impact
- Spoofing
System / Technologies affected
- Microsoft Window XP SP3, 2003 SP2, Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1, 8, 8.1, 2012, 2012 R2; and prior service packs
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- The vendor has issued a fix, available via automatic update for Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows Phone 8.
- The vendor has issued a fix for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems that use the automatic updater of revoked certificates (see KB2677070).
- **NOTE: No fix is available for Windows XP or Windows Server 2003.
Vulnerability Identifier
- No CVE information is available
Source
Related Link
Share with