Microsoft has issued an urgent Security Advisory (2718704) concerning some bogus SSL security certificates that are being used actively in current attacks.
Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
All currently supported versions of Windows are affected, as are Windows Mobile 6.x, and Windows Phone 7.0 and 7.5.
This is the same kind of vulnerability that resulted from the hack of the Dutch Certificate Authority DigiNotar last fall. The phony certificates could be used, as Microsoft says, for a variety of nefarious purposes. In one incident late last year, certificates stolen from the Malaysian government were used to authenticate malicious software.
Microsoft has made patches available for standard (non-mobile) versions of Windows. You can obtain the patches via your system’s automatic update service, or you can download them manually from the links in the associated Knowledge Base article. The article also contains information on the specific files affected.
Downloading the update manually requires Windows “Genuine Advantage” verification, meaning that you must use a machine with a properly licensed copy of Windows. (Once you have downloaded the patch, it can be used to update other machines.) Apart from the hassle for those of us who have mixed environments, this seems perverse; I would think Microsoft would welcome distribution of the update by whatever means.
There are no fixes available for Windows Mobile or Windows Phone at this time. I recommend that you install the patches on your system as soon as you conveniently can.
Update Monday, 4 June, 16:46 EDT
Microsoft has a TechNet blog post that gives more details of the certificate problem, including the digital “thumbprints” of the revoked certificates.