Microsoft scrambles to kill man-in-the-middle diddle

Finland, Finland, Finland, the place where hackers cracked a Microsoft admin account

Got Tips? 15 Reg comments

Microsoft is firing off updates to kill a fake certificate that can be used to create a convincing man-in-the-middle attack against its Live services.

Certificate Authority Comodo has killed the bad cert, which it issued, and now Redmond is following suit by updating its revocation list for Windows platforms.

"Microsoft is aware of an improperly issued SSL certificate for the domain '' that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks," the company said in an advisory today.

"It cannot be used to issue other certificates, impersonate other domains, or sign code."

Microsoft says the bad certificate was issued thanks to a misconfigured privileged email account on Microsoft's web property, which looks to be the Finnish version of its online services. Whatever the site's location and audience, that someone has accessed a privileged account there suggests that attackers had their fingers in the [email protected] pie before asking Comodo for a certificate.

"An email account was able to be registered for the domain using a privileged username, which was subsequently used to request an unauthorised certificate for that domain," it says.

Redmond urges users to apply automatic updates. Windows 8 users can sit back and let the built-in updater do the work, while those on Server 2008 and Windows 7 will need to install the updater, or download update 2917500.

Those that do not will remain open to convincing phishing schemes that could harvest Microsoft email credentials.

Google and Mozilla will doubtless update their browsers in the coming days to put an end to the potential p0wnage. ®

Sponsored: Ransomware has gone nuclear


Keep Reading

fed up

A lot has changed since Android 11 was but a twinkle in Google's eye – so mobile OS has been delayed a month

'Extra time for you to test,' you lucky, lucky developers
Sad Android

Android users, if you could pause your COVID-19 panic buying for one minute to install these critical security fixes, that would be great

MediaTek chipset flaw already exploited in the wild
Google's Play Store is the only official source for Android applications

Too bad, so sad, exploit devs: Google patches possibly several million dollars' worth of security flaws in Android

Except one – a 'your phone is now my phone' bug reported months ago and still not fixed

More than a billion hopelessly vulnerable Android gizmos in the wild that no longer receive security updates – research

Consumer mag Which? calls for manufacturers to be open about how long they will support devices
android logo

Commit to Android codebase suggests Google may strong-arm phone makers into using 'seamless' partitioned updates

Such a move could standardise deployment of new versions, rather than it being at the whim of OEMs
Bluetooth bug

Android owners – you'll want to get these latest security patches, especially for this nasty Bluetooth hijack flaw

'Pwned with a broadcast' bug among 25 to be patched by Google
bad customer service

Rabobank security cert expires and gives its Australian Android app a case of internet-blindness

Needs bank staff to sort things out, but a certain virus means the contact centre is rather busy right now

Google exiles 600 apps from Play Store for 'disruptive advertising' amid push to clean up Android souk's image

Purge is the latest in a series of similar store scourings

Biting the hand that feeds IT © 1998–2020