UCSC Critical Security Alert: Unauthorized Digital Certificates Could Allow Spoofing

The ITS Information Security Team has information that prompts our action in releasing this advisory to remind you that it's important to keep your computer updated with the latest security patches to help prevent your system (at work and home) from being compromised.

Summary
-------------

Microsoft recently released Security Advisory 2718704,[1] about a critical update for all Windows and virtual machines. Microsoft released the advisory, recommending that this update be installed immediately. ITS Information Security Team concurs with this assessment, which promoted this advisory and dissemination to the entire UCSC community due to the possible impact to personally owned and managed systems.

Affected Software/Systems/Devices:
--------------------------------------------

Windows XP
Windows Server 2003
Windows Vista
Windows 7
Windows Server 2008
Windows Mobile 6.x
Windows Phone 7
Windows Phone 7.5

Note that operating systems that are no longer supported by Microsoft are not tested for vulnerabilities, are not identified for fixes, and are not identified as being affected by this reported issue. This issue could pertain to older Windows operating systems not in this list. For this and other reasons, ITS Information Security Team recommends upgrading or changing your operating system to a supported platform as soon as possible.

Primary Mitigation Solution
----------------------------------

If you have Microsoft Windows Update enabled on your computer or receive updates via ITS Managed Computer Services, you will not need to take any action (except restart your computer). The Windows Update and ITS Managed Computer Services will update your computer automatically and prompt you to safely reboot.

Note that ITS Information Security Team recommends using ITS Managed Computer Services for systems connected to the UCSC network; and strongly recommends using the Windows Automatic update feature for timely updates with personal (home) systems.

Those who have decided to not use the Automatic update service can install the update manually using the Microsoft Update service.

Enabling automatic update (strongly recommended): http://support.microsoft.com/kb/294871

Microsoft Update: http://go.microsoft.com/fwlink/?LinkID=40747

Please be aware that these vendor updates (patches) may not have been tested yet for compatibility with campus systems. System owners are expected to test the impact of these critical updates, apply proper change management procedures, and communicate with clients as necessary. Please encourage clients to contact system owners if they experience problems after applying the update(s).

If you are not sure if this update has been applied and need assistance with a UCSC system, please submit an IT Request ticket at http://itrequest.ucsc.edu or contact the ITS Support Center by email help@ucsc.edu, telephone 459-HELP(4357), or in-person Kerr Hall Room 54.

Further Precautions/mitigation actions:
-----------------------------------------------

Ensure your systems are protected with multilayer defenses (anti-virus, host and network firewall, Network monitoring and detection, etc) with up to date signatures.

End user awareness is key - most malware infections start the same way, basically someone clicks on something they shouldn’t have. It is important to exercise caution and common sense before clicking on an email attachment or web link; and being aware of 'something weird' ongoing with the computer and reporting to the ITS Support Center and/or the system administrator. It is an important reminder to practice good habits and stay on guard.

If you have questions or concerns regarding keeping your system or data secure (work or home systems), please review the UCSC IT Security web site.[2]

Source information/Links
--------------------------------

[1] Microsoft Security Advisory 2718704
http://technet.microsoft.com/en-us/security/advisory/2718704

[2] UCSC IT Security web site
http://its.ucsc.edu/security/index.html

Technical information/Links
-----------------------------------

Microsoft certification authority signing certificates added to the Untrusted Certificate Store
http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx

isc.sans.org: Microsoft Emergency Bulletin: Unauthorized Certificate used in "Flame"
https://isc.sans.edu/diary/Microsoft+Emergency+Bulletin+Unauthorized+Certificate+used+in+Flame+/13366

isc.sans.org: Browsers and SSL Security - a Race to the Bottom !
https://isc.sans.edu/diary/Browsers+and+SSL+Security+-+a+Race+to+the+Bottom+/13372

blogs.mcafee.com: ‘Flame’ Has Been Lit in Cyberspace – What Consumers Should Know
http://blogs.mcafee.com/consumer/consumer-threat-notices/flame-has-been-lit-in-cyberspace-what-consumers-should-know