Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Improperly Issued Digital Certificates Could Allow Spoofing

 

Systems Affected



Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows RT
Windows RT 8.1
Windows Server 2012
Windows Server 2012 R2
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems (Server Core installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)

Threat Level


Medium


Overview


Microsoft is aware of improperly issued SSL certificates that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The SSL certificates were improperly issued by the National Informatics Centre (NIC), which operates subordinate CAs under root CAs operated by the Government of India Controller of Certifying Authorities (CCA), which are CAs present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.

The subordinate CA has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties. The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.

To help protect customers from potentially fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue. For more information about these certificates, see the Frequently Asked Questions section of this advisory. Recommendation. An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8 or Windows Phone 8.1. For these operating systems or devices, customers do not need to take any action because the CTL will be updated automatically. For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action because the CTL will be updated automatically.

For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2, and that do not have the automatic updater of revoked certificates installed, this update is not available. To receive this update, customers must install the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details). Customers in disconnected environments and who are running Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 can install update 2813430 to receive this update (see Microsoft Knowledge Base Article 2813430 for details).

For customers running Windows Server 2003, Microsoft recommends that the 2982792 update be applied immediately using update management software, by checking for updates using the Microsoft Update service, or by downloading and applying the update manually. For more information, see the Suggested Actions section of this advisory.


Description


1. WordPress Polldaddy Polls & Ratings plugin Cross-site scripting Vulnerability ( CVE-2014-4856 )
A Cross-site scripting (XSS) vulnerability exists in the Polldaddy Polls & Ratings plugin for WordPress due to improper sanitization of user supplied input. A remote attacker could exploit this vulnerability to execute arbitrary web script or HTML via vectors related to a ratings shortcode and a unique ID.

2. WordPress Tera Charts Plugin Directory Traversal Vulnerabilities ( CVE-2014-4940 )
These vulnerabilities exits in Tera Charts Plugin for WordPress which could allow an attacker to execute arbitrary files using (dot dot) in the fn parameter to charts/treemap.php or charts/zoomabletreemap.php.

3. WordPress EasyCart Plugin Information Disclosure Vulnerability ( CVE-2014-4942 )
This vulnerability exits in EasyCart (wp-easycart) plugin for WordPress. A remote attacker could exploit this vulnerability by calling phpinfo function through request to inc/admin/phpinfo.php, allowing an attacker to obtain configuration information.

4. WordPress NextGEN Gallery Plugin Arbitrary File Upload Vulnerability
This vulnerability exits in NextGEN Gallery Plugin for WordPress due to improper verification of the mime type of image files. On Successful exploitation, a remote attacker could upload and execute arbitrary PHP code.


Impact



Solution/ Workarounds


Apply the update for supported releases of Microsoft Windows

An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8 or Windows Phone 8.1. For these operating systems or devices, customers do not need to take any action because the CTL will be updated automatically. For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action because the CTL will be updated automatically.

For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2, and that do not have the automatic updater of revoked certificates installed, this update is not available. To receive this update, customers must install the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details). Customers in disconnected environments and who are running Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 can install update 2813430 to receive this update (see Microsoft Knowledge Base Article 2813430 for details).

For customers running Windows Server 2003, Microsoft recommends that the 2982792 update be applied immediately using update management software, by checking for updates using the Microsoft Update service, or by downloading and applying the update manually. See Microsoft Knowledge Base Article 2982792 for download links.


References


https://technet.microsoft.com/library/security/2982792#ID0EUIAC


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.