Sign in with
Sign up | Sign in

Microsoft Patches Internet Explorer Certificate Flaw

By - Source: Tom's Guide US | B 11 comments
Tags :

UPDATE 4:15 pm ET Wednesday: Microsoft has revoked the affected digital certificates and Internet Explorer now should be safe to use. Users of Windows Vista and Windows 7 may have to install some additional software -- see the end of this story for details.

Sloppy oversight at an Indian government agency that issues digital certificates for websites means that Windows users will probably want to avoid Internet Explorer for the time being.

Last week, Google discovered fake digital certificates for Google and Yahoo websites, with the result that attackers could "spoof" those sites and fool ordinary Web users into handing over their money or personal data to criminals or spies.

Google's Chrome browser for Windows is no longer affected. Mozilla Firefox for Windows never was, nor were any programs running on Apple's OS X or iOS, the Google Chrome OS or Android. But it may take some time for Microsoft to issue a software patch for Internet Explorer.

MORE: Best Free PC Antivirus Software 2014

What went wrong, and why

Digital certificates underlie all secure online communications. They make sure the credit-card data you provide Amazon or Apple is safely transmitted. When you see "https" in a Web address, a digital certificate has proven to your Web browser that the website is what it says it is, and not a fake Amazon clone run by some joker in Eastern Europe.

Unfortunately, the digital-certificate oversight system is a mess. There are only a few "root" certificate authorities (CAs), such as Microsoft, but each has arrangements with dozens of regional and national second-tier CAs around the world, and most of those have their own arrangements with third-tier local CAs.

For the online "Web of trust" to function, all participants have to trust each other, with the result that Microsoft, for example, is obligated to guarantee the authenticity of digital certificates issued by organizations it knows nothing about.

On June 25, an Indian government agency authorized to issue digital certificates on behalf of the main Indian CA, which is in turn recognized by Microsoft, issued at least four bogus certificates, apparently as a result of a security breach, that would let any website claim it was Google or Yahoo.

Google found the fake certificates July 2, and pushed out an emergency update to the Google Chrome browser that would reject them. The Indian government revoked the certificates the next day.

Unfortunately, Microsoft implicitly trusts all certificates backed by the Indian government, which means Internet Explorer and other Web-facing Microsoft software on Windows is still vulnerable. Worse, there may be other fake certificates bearing the Indian government's stamp out there.

"The four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains," wrote Google security engineer Adam Langley in a blog posting yesterday (July 9). "However, we are also aware of mis-issued certificates not included in that set of four and can only conclude that the scope of the breach is unknown."

What Microsoft — and you — can do about this

The last time a certificate breach on this scale happened, Microsoft pushed out a Windows update that de-recognized all certificates issued by a Dutch company that had had its certificates stolen by Iranian hackers, and the company went out of business.

It's unlikely that Microsoft could do the same with the Indian government, but until it does something to fix the problem, no one should use Internet Explorer to access any website that uses HTTPS secure communications — no online shopping, Webmail, Facebook or online banking. (Viewing websites that don't use HTTPS, such as Tom's Guide, should still be okay.)

To make sure other applications, such as Outlook or Word, don't open up Web links in Internet Explorer, you'll have to change your default programs. Here's how:

1. Install Mozilla Firefox or Google Chrome.

2. Open up Control Panel and, in the search box, search for Default Programs.

3. Click Default Programs.

4. Click "Set your default programs."

5. Select either Firefox or Google Chrome.

6. Select "Select this program as default" at the bottom of the dialog box.

7. Click OK.

UPDATE: Microsoft has revoked the affected certificates and pushed out an update to systems that permit automatic updates of digital certificates. 

Users of Windows 8, 8.1, RT or R 8.1. will not have to take any action. Users of Windows Vista or Windows 7 will need to install Microsoft's automatic certificate updater, available under "Downloads" on its specific Microsoft support page.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 6 Hide
    dstarr3 , July 10, 2014 12:40 PM
    Internet Explorer.

    *rolls eyes*
  • 2 Hide
    agentbb007 , July 10, 2014 12:54 PM
    Ouch, another reason I'm glad to be running Firefox...
  • 3 Hide
    MrGulio , July 10, 2014 12:56 PM
    Quote:
    Avoid Internet Explorer Until Microsoft Fixes This Flaw


    Shouldn't be a problem.
  • Display all 11 comments.
  • 0 Hide
    wavetrex , July 10, 2014 1:04 PM
    You know what Toms ? This "Eastern Europe" bash has gone far enough.
    We are not all crackers and thieves. Actually, very very few eastern-europeans are actually involved in such activities, just like there are some crackers everywhere on the planet.

    How would people like if I said that all germans are nazis, all russians are drunkards and all americans are idiots (or any other kind of regional hate).

    ... seriously, cut it down already !
  • 2 Hide
    knowom , July 10, 2014 1:32 PM
    Dear Internet Explorer,

    I wish you luck on your adventurers in your brave exploration of the internet(z), but we won't sympathize for your continued ignorance, mistrust, and misguidance in Microsoft's very flawed track record with security. Any misfortunes no pun intended are yours alone. Good luck you poor naive schmuck.
  • 2 Hide
    SteelCity1981 , July 10, 2014 1:48 PM
    ok so according to this windows 8 and windows 8.1 users aren't effected by this but windows 7 users and windows vista users (the 100 so remaining lol) are.
  • 1 Hide
    danwat1234 , July 10, 2014 3:56 PM
    What about XP?
  • 2 Hide
    bombebomb , July 10, 2014 4:39 PM
    Internet explorer what? Going to have to google this.
  • 0 Hide
    falchard , July 10, 2014 11:36 PM
    Quote:
    ok so according to this windows 8 and windows 8.1 users aren't effected by this but windows 7 users and windows vista users (the 100 so remaining lol) are.

    For most consumers they should have already downloaded the automatic authentication thing a ma jig when they updated IE to the same version as Windows 8. This update is for those who use an older version of IE or update them manually.
  • 0 Hide
    hoofhearted , July 11, 2014 4:11 AM
    Quote:
    You know what Toms ? This "Eastern Europe" bash has gone far enough.
    We are not all crackers and thieves. Actually, very very few eastern-europeans are actually involved in such activities, just like there are some crackers everywhere on the planet.

    How would people like if I said that all germans are nazis, all russians are drunkards and all americans are idiots (or any other kind of regional hate).

    ... seriously, cut it down already !


    Sorry, but my honeypot begs to differ. RIPE is the biggest offender.
  • 0 Hide
    plast0000 , July 16, 2014 5:40 PM
    Quote:
    What about XP?

    you are kidding right, it lost support 3 months ago so no more updates for XP
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS