Yesterday a hacker published a counterfeit secure sockets layer certificate that exploits a hole in a Microsoft library used by three leading browsers – IE, Safari and Chrome. Although this certificate is fake it appears to be completely legitimate and fools the browsers into thinking nothing is wrong. The bug was actually discovered over two months ago but Microsoft have been slow in applying a bug fix.
Yesterday’s release of the null prefix certificate for Paypal is a very serious issue to online security because it makes it easy for net conmen to defeat one of the net’s oldest and most relied upon defenses against specific attacks. Paypal and many other websites use these certificates to generate a digital signature that proves login pages are not fake – meanwhile a hacker is sitting between the website and the end user reading his login information.
The certificate exploits a security hole based around the Microsoft application programming interface known as CryptoAPI, which is used by Internet Explorer, Apple Safari and Google Chrome to parse a website’s SSL certificates. This certificate may be forged but it can be used with a hacking tool called SSL Sniff to cause all of these browsers to display a faked page with no warnings whatsoever even when the address is ‘secure" (https). Windows users are the only ones at risk.
Paypal have made a public announcement that they are aware of the issue and they are putting resources into fixing the Microsoft issue on the Paypal side. As yet this is not in place so caution should be taken.
Mozilla developers patched the hole a few days after a hacker demonstrated the issue at the Black Hat security conference in Las Vegas and Apple have also fixed the issue shortly afterward. The issue is totally focused on Microsoft windows users and the only way to remain fully protected against this massive security risk it to use versions 3.0.13 or 3.5 of Firefox. DriverHeaven will keep you posted as to when Microsoft fix the CrypoAPI.
-Allan Campbell, Heaven Media