Despite the hefty competition between the two companies, Google and Microsoft Relevant Products/Services can agree on at least one thing: there are fake SSL certificates floating around that bad actors could use to spoof content and execute man-in-the-middle or phishing attacks against unsuspecting consumers.

Google first reported the unauthorized digital certificates last Friday. Google Security Engineer Adam Langley said the China Internet Network Information Center (CNNIC), a certificate authority (CA), issued an intermediate certificate to MCS Holdings, an Egyptian company. MCS Holdings then used its intermediate certificate to generate SSL certificates for several Google-owned Web sites without authorization.

“CNNIC is included in all major root stores and so the mis-issued certificates would be trusted by almost all browsers and operating systems,” Langley wrote in a blog post. “Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although mis-issued certificates for other sites likely exist.”

Google Users Good To Go

For Google’s part, Langley said the company promptly alerted CNNIC and other major browser makers about the incident and blocked the MCS Holdings certificate in Chrome with a CRLSet push -- a custom Chrome function that Google reserves for “emergency situations” when it needs to revoke a dangerous certificate.

“These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons,” Langley said. “The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system.”

According to Google, Chrome users do not need to take any action to be protected by the CRLSet updates. Langley said there is no indication of abuse and Google is not suggesting that people change passwords or take any other action.

Microsoft Has Good and Bad News

On Tuesday, Microsoft issued a security Relevant Products/Services advisory headlined “Improperly Issued Digital Certificates Could Allow Spoofing.” The digital certificates Microsoft was referring to are the same ones Google called out.

The good news, according to Microsoft, is the improperly issued certificates cannot be used to issue other certificates, impersonate other domains, or sign code. The bad news is the issue affects all supported releases of Microsoft Windows.

“To help protect customers from the potentially fraudulent use of these improperly issued certificates, Microsoft is updating the Certificate Trust List to remove the trust of the subordinate CA certificate,” Microsoft said in its security advisory. Microsoft issued an out-of-cycle Windows update to fix the problem.

“The trusted root Certificate Authority, the China Internet Network Information Center, has also revoked the certificate of the subordinate CA. Microsoft is working on an update for Windows Server 2003 customers and will release it once fully tested,” Microsoft said.