Microsoft is preparing to release a security update for their Windows Phone 7 devices, in an attempt to block certain SSL certificates, that may potentially hamper users of the devices. At the time of writing, there are nine known domains that appear to exist fraudulently, in order to perform "phishing" attacks on unfortunate users. Microsoft previously warned of the following sites:
- login.live.com
- mail.google.com
- www.google.com
- login.yahoo.com (3 certificates)
- login.skype.com
- addons.mozilla.org
- “Global Trustee”
Since warning of these sites, Microsoft released an update for all supported Windows operating systems, in order to minimise any risk they may have. The SSL certificates could be used for a number of different purposes - all of them malicious. Microsoft believe that these SSL certificates could be used to spoof content, perform phishing attacks, or perform "man-in-the-middle" attacks against different internet browsers. Comodo released a blog post about the SSL certificates in March, though Microsoft are yet to release any updates against the SSL certificates for Windows Phone 7 devices.
While it is currently unclear how Microsoft intends to distribute the patches for their handsets, it is possible that they will use the "over-the-air" update system, as opposed to a major firmware update. Microsoft"s Trustworthy Computing manager, Bruce Cowper, had this to say:
Fraudulent digital certificates are not a Microsoft security vulnerability. We have been working to develop a mitigation update for Windows Phones.
Interestingly, Comodo themselves appear to believe that the attacks could be politically-motivated, or state-driven. Melih Abdulhayoglu, Comodo"s founder, had this to say about the attacks:
Well, one of the origin of the attack that we experienced is from Iran, what is being obtained would enable the perpetrator to intercept web based email/communication and the only way this could be done is if the perpetrator had access to the Country’s DNS infrastructure (and we believe it might be the case here). Of course this is our interpretation of the situation.
First time we are seeing a “state funded” attack against the “Authentication” infrastructure. The Threat Model is changing and Comodo had already initiated a proposal for new standards in 2010 which would help mitigate some of these attacks. We will make sure to double our efforts in getting industry wide acceptance to these much needed standards so that we can continue to defend our security and freedom.
It is possible that the same people who hijacked Comodo"s website in late March may have been responsible for these further attacks. While the Windows Phone 7 update release is not known, Winrumors suggest that it could be releasing on May 3rd, 2011.