update.microsoft.com SSL warnings due to certificate chain update
Flame malware, buzz of June 2012, had an interesting replication methods through Microsoft Windows Update service. The SNACK (NBNS spoofing) and MUNCH (Spoofing proxy detection and Windows Update request) Flame modules have allow man in the middle (MITM) attacks allowing distribution of forged Windows updates to the targets.
The MITM URLs were :
The problem was that components of Flame were signed using a forged certificate that the attacker were able to create by exploiting a weakness in Microsoft Terminal Services, how allow users to sign code with Microsoft certificates.
But since today, “Microsoft Root Certificate Authority” root certificate, “Microsoft Update Secure Server CA 1” intermediate certificate are not more trusted by majority of Internet browsers like Firefox, Chrome, Safari and Opera. The cause is that Microsoft has regenerate the Windows Update certificate chain. The chain of trust is broken (Qualys SSL Labs – SSL Shopper SSL Checker) for www.update.microsoft.com and update.microsoft.com.
— Mikko Hypponen (@mikko) Juin 17, 2012
SSL certificates for the following domain names are also no more trusted, cause the chain of trust is broken:
The SSL certificates associated to the following domain names are also no more trusted, cause they are pointing to a host not corresponding to the requested domain name (hosted on Akamai):
With KB-2718704 installed on an up2date Windows XP SP3, only “www.update.microsoft.com“ domain could be considered as trusted, if you use Internet Explorer.
But despite the installation of KB-2718704, the following domains are still invalid:
Here under some screenshots of different browsers and error messages.
I recommend you to read these related posts
- EDB-ID-16940 : Microsoft .NET Runtime Optimization Service Privilege Escalation
- Responsible Disclosure vs Coordinated Vulnerability Disclosure, le débat sans fin
- Fraudulent TURKTRUST Digital Certificat Used In Active Attacks
- Windows 0Day “LNK” et un nouveau cas APT ?
- MS10-046 : Microsoft Windows Shell LNK Execution
- MS10-061 : Microsoft Print Spooler Service Impersonation Vulnerability
- MS08-067 : Microsoft Server Service Relative Path Stack Corruption
- MS11-080 Microsoft Windows AfdJoinLeaf Privilege Escalation Metasploit Demo
- 0Day Windows Shell LNK dans la nature
- MS12-063 Out-of-Band Microsoft Security Update for Internet Explorer Fix 0day