After the Superfish adware that used trusted root certificates to help leak sensitive data, there is a new problem that popped and is being addressed by Microsoft. In the group of trusted root certificates, there comes a weak and fake certificate related to Live.fi. The Live.fi certificate looks like it belongs to Windows Online Services related to Finland.
Microsoft kills Live.fi trusted certificate
The problem is that this certificate is a way for cybercriminals to get their hands on the computer to Internet traffic and vice versa. They can decrypt the communications using the fake but trusted certificate related to Live.Fi.
The problem surfaced recently and so far no damage has been done according to Microsoft spokesperson. Earlier, Microsoft had had a tough time dealing with root certificates related to Superfish. It updated MSE and Windows Defender to kill the adware related certificate. Then the issue of FREAK vulnerability appeared and was addressed by Microsoft using Patch Tuesday updates.
The Live.Fi certificates are not much dangerous as they have been identified quickly and efforts are on to kill the trusted but fake certificates. In an advisory issued today, Microsoft says:
Microsoft is aware of an improperly issued SSL certificate for the domain ‘live.fi’ that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
The good news is that this certificate cannot be used to create and issue other certificates so the damage is controlled in case of a man in the middle attack. Microsoft says the bad certificate was issued because of a misconfigured privileged email account on Microsoft’s live.fi web property. This is also drags in Comodo as someone posed with an email ID firstname.lastname@example.org got an email security certificate issued for the domain. Though the certificate is real, the intentions for using it are wrong.
While Comodo has already killed the certificate issued to email@example.com, Microsoft is in process of using Microsoft Updates to patch the issue and kill the trusted fake live.fi certificate. Browsers such as Firefox and Chrome are yet to follow up on the issue.