-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0001 Title: Fraudulent certificates issued by Trusted CA impact on Microsoft products and other Browser products Version history: 04.01.2013 Initial publication Summary ======= CERT-EU has been made aware of a security issue related to certificates issued by TURKTRUST Inc. TURKTRUST Inc is certificate provider which CA is included in several trusted CA databases used by products like browsers. Consequently, fraudulent certificates can be issued and be used to impersonate server and sites. A fraudulent certificate has been identified to impersonate *.google.com. [1] Microsoft is aware of active attacks using one fraudulent digital certificate issued by TURKTRUST Inc and has issued an advisory [2] Affected Versions ================= All supported releases of Microsoft Windows Mozilla products including Firefox Chrome Opera Safari Original Details ================ TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islam.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. What can you do? ================ Ensure your product and operating system is up-to-date as some vendors will provide a fix via their auto-update service. Update the Trusted CA database of your product. Please check your product website for latest update. * Microsoft, see [2] [3] * Mozilla, see [4] [5] * Google, see [6] What to tell your users ======================= Normal security best practices apply. Especially, inform your Web users to be cautious about attachments and following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] https://cert.europa.eu/cert/moreclusteredition/en/technet-security-d212f6e5c2912f04828203447fd4f2a3.html [2] http://technet.microsoft.com/en-us/security/advisory/2798897 [3] http://support.microsoft.com/kb/2677070 [4] http://www.mozilla.org/security/ [5] http://blog.mozilla.org/security/ [6] http://googleonlinesecurity.blogspot.co.uk/2013/01/enhancing-digital-certificate-security.html Best regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQ5sDrAAoJEPpzpNLI8SVo4BUQAMJ24NgVFdt0GCTwMdPvZHn0 TcFdimRaiDRLyrdidRqFYLMc760tFogDS9G8yUBwM1JLJ+WoDmbN3CVg0asdT0+l uvd88sjEN+orZHUUACxFB0K2QkWFlKFsug9Ps6Cm8BVH69ObJG1qfrWSuDFHsQZs xuwKbNcDzmOwtTMbPqFkSrUtVJrO3mkqj8oAa718KO/kU/O4WactKJLmQnvbLB8s uiyin4hhoqpHoOsTp19RU+R1uUn/8l8o94Phq5a4Q6ZKAFGc+8tDY6x3CUSKSTjq Jw0SDVmx5fDN/2Vk5uA0zvyhuj3QaMDXCbR9GsZm50HGyq1SwpPOgxqAWAYX6t15 /LStOgeYlOjhZDwU6OkL584P0barRCTRQTPgBThU0kltUDJuSzluOpR8mmrhmRKU n/wdrumJ4V7CkIOA5e7k/kzbKb2pbSoimiq7wqNu/fE1gH7LMqTAf1J1qlUUh+yB CWVMjHvm73m1ZGeQaxpWclw3X5zAYBKfKw3l/AQU49EU/02HpWAAxlSa6ykB5jRY Q62LR08EFnfAcaJ8rEz8vukJ+PbiAbS1emxsv89Ncs65UeTcCeBVW+ihcerIZq1i kLhiqdIFd7JScaZwgKYzpOu3qGFUzpLYD4fGn9ZIl7KJIek7wgyxKOJNFmxgBA7f L0lX8bDKsFCTMHHhmvOF =A6QU -----END PGP SIGNATURE-----