Hard on the heels of the translated blog by Sebastián Bortnik that I posted at the weekend comes news from the Register (http://www.theregister.co.uk/2009/10/05/fraudulent_paypay_certificate_published/) of a bogus Paypal SSL certificate released yesterday exploiting a bug in Microsoft’s crypto API that has remained unpatched for more than two months, when Moxie Marlinspike (can I have a handle like that, please?) demonstrated his "universal wildcard certificate" at Blackhat.
(Sebastian also referred to this attack in the blog we posted earlier, but here’s that link again: "Null Attacks Against Prefix SSL Certificates" at http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf.)
Dan Goodin of the Register suggests that this is your cue to switch to Firefox, which doesn’t use the vulnerable API used by Internet Explorer, Google Chrome and Apple Safari – who says there’s no cooperation between the big players? ;-)
Well, that’s a convincing argument in the short term, but the real lesson here is that any application you use is only as good as the vendor’s ability to keep it patched and updated in good time when a vulnerability is uncovered.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, ESET