Microsoft Jan 2013 Update to Address Critical Windows 8 Bug; Certificate Trust List (CTL) Update Prevents Fraudulent TURKTRUST Certificate

Microsoft Security Response Center (MSRC) posted details about the first security updates of 2013-on Tuesday, January 8 at approximately 10 AM Pacific Time Microsoft will release 7 bulletins--"two critical and five Important, which address 12 vulnerabilities in Windows, Office, SharePoint Server, and its Expression Web design tool," the company informed. "The Critical-rated bulletins address issues […]

Share online:

Microsoft Security Response Center (MSRC) posted details about the first security updates of 2013-on Tuesday, January 8 at approximately 10 AM Pacific Time Microsoft will release 7 bulletins--"two critical and five Important, which address 12 vulnerabilities in Windows, Office, SharePoint Server, and its Expression Web design tool," the company informed.

"The Critical-rated bulletins address issues in Microsoft Windows, Office, Developer Tools and Microsoft Server Software. The Important-rated bulletins address issues in Microsoft Windows, .NET Framework and Microsoft Server Software," adds MSRC.

Two of the critical update addresses remote code execution in Windows 8 and Windows RT.

Microsoft has made no mention about the zero-day flaw found in Internet Explorers 6, 7, and 8, which were revealed recently.

In other security releated news, the company has issued Security Advisory 2798897 and announced the update of Certificate Trust List.

"(W)e are aware of active attacks using a fraudulent digital certificate issued by TURKTRUST Inc. To help protect customers, we have updated the Certificate Trust List (CTL) to remove the trust of the certificates causing this issue," MSRC wrote.

"TURKTRUST Inc. incorrectly created two subsidiary Certificate Authorities: (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com," the MSRC blog explains.

"There is no action for customers using versions of Windows Vista and newer who have installed the Certificate Trust List feature, released in June," the team added.

For Windows XP and Windows Server 2003 customers, or customers who chose not to install the CTL feature, are recommended to apply knowledge base article KB2677070 "immediately."

For further information, customers may refer the guidance in Security Advisory 2798897.

Update: Google has also updated Chrome's certificate revocation metadata on December 25 to block intermediate CA linking back to TURKTRUST.