Emergency Windows update revokes dozens of bogus Google, Yahoo SSL certificates
But users remain vulnerable to any fraudulent credentials not yet discovered.
Microsoft has issued an emergency update for most supported versions of Windows to prevent attacks that abuse recently issued digital certificates impersonating Google and Yahoo. Company officials warned undiscovered fraudulent credentials for other domains may still be in the wild.
Thursday's unscheduled update revokes 45 highly sensitive secure sockets layer (SSL) certificates that hackers managed to generate after compromising systems operated by the National Informatics Centre (NIC) of India. That's an intermediate certificate authority (CA) whose certificates are automatically trusted by all supported versions of Windows. Millions of sites operated by banks, e-commerce companies, and other types of online services use such cryptographic credentials to encrypt data passing over the open Internet and to prove the authenticity of their servers. As Ars explained Wednesday, the counterfeit certificates pose a risk to Windows users accessing SSL-protected sections of Google, Yahoo, and any other affected domains.