Microsoft has announced and issued an update to nearly all actively supported operating systems to take care of a problem relating to hacking attempts occurring on users visiting Yahoo and Google. Updates should be available now for Windows, Windows Phone, and Windows RT users.
For some quick background, you’ll want to learn about what HTTPS connections are. Basically, when you establish trust with a website, you can connect with a secure connection (HTTPS means HTTP + secure). This connection will encrypt all of the data you receive and transmit with the website you’re visiting before it decrypts at the end, on your computer and their server, so that everything works like normal.
This keeps anyone from intercepting and eavesdropping on your web browsing; if they manage to do it, the data will be garbled since they cannot decrypt it without proof that they are the desired recipient. HTTPS connections began to be implemented as a measure to protect online transactions, but are now a standard security measure for a large portion of the web.
The way that you establish that trust that the website you’re visiting is actually the website and not an impostor is what is called an SSL certificate. Your computer and/or web browser keeps an updated list of which certificates they should trust, which is based on pre-approved companies that create and issue SSL certificates.
Recently, one of the trusted companies seemed to go rogue as certificates claiming to be meant for Yahoo and Google were discovered in use by entities that weren’t Yahoo and Google. However, since they were trusted, whoever was posing as Yahoo and Google would likely have had success impersonating those websites and gathering user passwords, correspondence, and the like.
This is called a “man in the middle” attack – someone sits in the middle of a web user’s communications, typically passively eavesdropping while going undetected by both parties. This is relatively easy to do when the connection isn’t secured over HTTPS, but users typically don’t have to worry when they connect via HTTPS, given how it all works.
Microsoft’s update to all desktop OS versions from Vista and newer, Windows RT, and Windows Phone 8 and 8.1 edits their trusted certificate vendor list, removing the Indian company that issued the fraudulent Yahoo and Google certificates.
Compromised certificate issuers are one of the main vulnerabilities of HTTPS and things like this have happened before, where the issuer itself gets hacked and the hacker creates certificates for themselves under a trusted name. Make sure to update your systems to avoid this latest attack attempt.
Featured image by Danny Oosterveer (Flickr).
[h/t The Hacker News]