Windows Phone7 < 7.0.7392 Out-of-Date SSL Blacklist

medium Nessus Plugin ID 62516

Synopsis

The Windows Phone7 has an out-of-date SSL certificate blacklist.

Description

The remote host is missing KB2524375, which updates the system's SSL certificate blacklist.

A certificate authority (CA) has revoked a number of fraudulent SSL certificates for several prominent, public websites. Without this update, browsers will be unable to learn that the certificates have been revoked if either Online Certificate Status Protocol (OCSP) is disabled, or OCSP is enabled and fails.

If an attacker can trick someone into using the affected browser and visiting a malicious website using one of the fraudulent certificates, the attacker may be able to fool that user into believing the site is a legitimate one. In turn, the user could send credentials to the malicious site or download and install applications.

Solution

Apply the relevant update provided by Microsoft.

See Also

http://www.nessus.org/u?14606051

http://www.nessus.org/u?1847e055

http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2011/2524375

https://support.microsoft.com/en-us/help/2524375/microsoft-security-advisory-fraudulent-digital-certificates-could-allo

Plugin Details

Severity: Medium

ID: 62516

File Name: windows_phone7_0_7392.nbin

Version: 1.95

Type: local

Published: 10/12/2012

Updated: 3/19/2024

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:windows:winphone

Required KB Items: mdm/dependency/unlocked

Patch Publication Date: 3/23/2011

Vulnerability Publication Date: 3/22/2011