3月 24

個人關注M$就少,不過,這次的補丁還是引起了我的注意。

大致情況是:Comodo公司签发了9个伪造的数字签名。Comodo签发的时候没有充分验证这个提交者的信息。(当然我们都能猜到是什么人做的。)也就是說,如果您的根證書裏trust了Comodo,那麼,這9個偽造的證書可以用來欺騙你。被偽造的域名如下:(摘自Comodo,很不巧,它們搞不好都是您常用的email/im/browser相關的域名)

Fraudulently issued certificates

9 certificates were issued as follows:

Domain:  mail.google.com    [NOT seen live on the internet]

Serial:  047ECBE9FCA55F7BD09EAE36E10CAE1E

Domain:  www.google.com [NOT seen live on the internet]

Serial:  00F5C86AF36162F13A64F54F6DC9587C06

Domain:  login.yahoo.com  [Seen live on the internet]

Serial:  00D7558FDAF5F1105BB213282B707729A3

Domain:  login.yahoo.com    [NOT seen live on the internet]

Serial:  392A434F0E07DF1F8AA305DE34E0C229

Domain:  login.yahoo.com     [NOT seen live on the internet]

Serial:  3E75CED46B693021218830AE86A82A71

Domain:  login.skype.com     [NOT seen live on the internet]

Serial:  00E9028B9578E415DC1A710A2B88154447

Domain:  addons.mozilla.org     [NOT seen live on the internet]

Serial:  009239D5348F40D1695A745470E1F23F43

Domain:  login.live.com     [NOT seen live on the internet]

Serial:  00B0B7133ED096F9B56FAE91C874BD3AC0

Domain:  global trustee     [NOT seen live on the internet]

Serial:  00D8F35F4EB7872B2DAB0692E315382FB0

Comodo公司的公告在這裡

微軟的安全公告在這裡

Comments are closed.

preload preload preload