Fraudulent credentials for additional domains may also exist in the wild.

Microsoft has issued an emergency update for most supported versions of Windows to prevent attacks that abuse recently issued digital certificates impersonating Google and Yahoo. Company officials warned undiscovered fraudulent credentials for other domains may still be in the wild.

Thursday's unscheduled update effectively blocks 45 highly sensitive secure sockets layer (SSL) certificates that hackers managed to generate after compromising systems operated by the National Informatics Centre (NIC) of India. That's an intermediate certificate authority (CA) whose certificates were automatically trusted by all supported versions of Windows. Millions of sites operated by banks, e-commerce companies, and other types of online services use such cryptographic credentials to encrypt data passing over the open Internet and to prove the authenticity of their servers. As Ars explained Wednesday, the counterfeit certificates pose a risk to Windows users accessing SSL-protected sections of Google, Yahoo, and any other affected domains.
"These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Web properties," a Microsoft advisory warned. "The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks."

Computers running version 8, 8.1, RT, RT 8.1, Server 2012, Server 2012 R2, Phone 8 or Phone 8.1 of Windows will receive the revocation update automatically. An automatic updater for revoked certificates already enabled in these versions will update the Windows Certificate Trust list without requiring users to take any action. People using Windows Vista, 7, Server 2008, or Server 2008 RS may or may not already have the automatic updater installed. Users who don't have the updater already, or who are unsure about its status, can install it or make sure it's installed by following the instructions here. At the moment, there is no way for systems running Windows Server 2003 to revoke the fraudulent certificates.

Thursday's advisory flagged 45 separate URLs that were vulnerable to spoofing by counterfeit certificates that stemmed from a recent hack of an India-based CA. The bogus certificates covered various subdomains for Google, Yahoo, yahoo-inc.com, yahooapis.com, static.com, and gstatic.com. The unscheduled update will hardwire the revocation of these specific certificates directly into Windows, a measure that prevents attackers from bypassing real-time certificate verification checks performed by the online certificate status protocol. As Ars reported on Wednesday and Microsoft warned Thursday, security experts haven't ruled out the possibility that the hackers generated additional fraudulent certificates covering the same or different domains. Even after receiving Thursday's patch, Windows machines will continue to automatically trust any bogus credentials that have yet to be discovered. The update revokes trust in three intermediate certificates belonging to NIC, a move that will cause all domain certificates, including an unknown number of legitimate ones, issued under them to be invalid. The collateral damage from this move could create problems for people attempting to access SSL-protected sites relying on one of the NIC intermediate certificates.

Microsoft could have eliminated the risk posed by any undiscovered certificates by updating its Certificate Trust list to remove root certificates from India's Controller of Certifying Authorities (CCA), which oversees the compromised NIC. That move would have caused many more legitimate sites to display SSL errors, a consideration that likely drove Microsoft's decision to revoke only individual domain certificates known to be fake. Microsoft's options are starkly contrasted by those available to engineers of Google Chrome. Granular controls in that browser allowed it to accept only a small subset of CCA-authorized certificates, all carrying India's .in top level domain.

Windows users should ensure as soon as possible that their systems are updated. Even then, they should remember that they remain susceptible to any certificates that have not yet been detected. Especially cautious Windows users should consider accessing SSL-protected domains using the Firefox browser or Thunderbird e-mail app, which don't rely on Microsoft's Certificate Trust list. Microsoft's Enhanced Mitigation Experience Toolkit may also offer some additional protection. As noted earlier, Chrome for Windows is immune to most attacks, since CCA-authorized certificates are limited to the .in top level domain. People using default versions of Mac OS X, Linux, and other operating systems are also immune since they don't trust CCA-authorized sites.

This post was updated to correct misstatements about the status of any undiscovered certificates generated under the NIC intermediate certificates.