Microsoft Patches Internet Explorer Certificate Flaw

UPDATE 4:15 pm ET Wednesday: Microsoft has revoked the affected digital certificates and Internet Explorer now should be safe to use. Users of Windows Vista and Windows 7 may have to install some additional software -- see the end of this story for details.

Sloppy oversight at an Indian government agency that issues digital certificates for websites means that Windows users will probably want to avoid Internet Explorer for the time being.

Last week, Google discovered fake digital certificates for Google and Yahoo websites, with the result that attackers could "spoof" those sites and fool ordinary Web users into handing over their money or personal data to criminals or spies.

Google's Chrome browser for Windows is no longer affected. Mozilla Firefox for Windows never was, nor were any programs running on Apple's OS X or iOS, the Google Chrome OS or Android. But it may take some time for Microsoft to issue a software patch for Internet Explorer.

MORE: Best Free PC Antivirus Software 2014

What went wrong, and why

Digital certificates underlie all secure online communications. They make sure the credit-card data you provide Amazon or Apple is safely transmitted. When you see "https" in a Web address, a digital certificate has proven to your Web browser that the website is what it says it is, and not a fake Amazon clone run by some joker in Eastern Europe.

Unfortunately, the digital-certificate oversight system is a mess. There are only a few "root" certificate authorities (CAs), such as Microsoft, but each has arrangements with dozens of regional and national second-tier CAs around the world, and most of those have their own arrangements with third-tier local CAs.

For the online "Web of trust" to function, all participants have to trust each other, with the result that Microsoft, for example, is obligated to guarantee the authenticity of digital certificates issued by organizations it knows nothing about.

On June 25, an Indian government agency authorized to issue digital certificates on behalf of the main Indian CA, which is in turn recognized by Microsoft, issued at least four bogus certificates, apparently as a result of a security breach, that would let any website claim it was Google or Yahoo.

Google found the fake certificates July 2, and pushed out an emergency update to the Google Chrome browser that would reject them. The Indian government revoked the certificates the next day.

Unfortunately, Microsoft implicitly trusts all certificates backed by the Indian government, which means Internet Explorer and other Web-facing Microsoft software on Windows is still vulnerable. Worse, there may be other fake certificates bearing the Indian government's stamp out there.

"The four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains," wrote Google security engineer Adam Langley in a blog posting yesterday (July 9). "However, we are also aware of mis-issued certificates not included in that set of four and can only conclude that the scope of the breach is unknown."

What Microsoft — and you — can do about this

The last time a certificate breach on this scale happened, Microsoft pushed out a Windows update that de-recognized all certificates issued by a Dutch company that had had its certificates stolen by Iranian hackers, and the company went out of business.

It's unlikely that Microsoft could do the same with the Indian government, but until it does something to fix the problem, no one should use Internet Explorer to access any website that uses HTTPS secure communications — no online shopping, Webmail, Facebook or online banking. (Viewing websites that don't use HTTPS, such as Tom's Guide, should still be okay.)

To make sure other applications, such as Outlook or Word, don't open up Web links in Internet Explorer, you'll have to change your default programs. Here's how:

1. Install Mozilla Firefox or Google Chrome.

2. Open up Control Panel and, in the search box, search for Default Programs.

3. Click Default Programs.

4. Click "Set your default programs."

5. Select either Firefox or Google Chrome.

6. Select "Select this program as default" at the bottom of the dialog box.

7. Click OK.

UPDATE: Microsoft has revoked the affected certificates and pushed out an update to systems that permit automatic updates of digital certificates. 

Users of Windows 8, 8.1, RT or R 8.1. will not have to take any action. Users of Windows Vista or Windows 7 will need to install Microsoft's automatic certificate updater, available under "Downloads" on its specific Microsoft support page.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.