FAQ: Microsoft's security breach

After two digital certificates were mistakenly issued in Microsoft's name, consumers may wonder if they are vulnerable to downloading software from less-than-safe sources.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
After two digital certificates were mistakenly issued in Microsoft's name, consumers may wonder if they are now vulnerable to downloading software from less-than-safe sources.

see story: Microsoft warns of hijacked certificates According to Microsoft, someone posing as a Microsoft employee tricked VeriSign, which hands out so-called digital signatures, into issuing the two certificates in the software giant's name.

Here are some frequently asked questions about how digital signatures work, and the risks of downloading software from the Internet.

What happened?
VeriSign, a major Internet company that provides trusted authentication and transaction services, mistakenly issued two digital certificates in Microsoft's name to an unknown person who posed as an employee of Microsoft.

What's a digital certificate?
A digital certificate is used to "notarize" electronic documents, such as contracts, Web sites and even code. Each certificate verifies that an author has digitally signed the document and a third party, in this case VeriSign, acts as a notary, adding a level of trust.

In this case, the certificates are part of Microsoft's software verification scheme. The fraudulent codes could be used to sign a malicious program, such as a virus or Trojan horse, so that it appears to come from Microsoft.

How does it affect me?
To Microsoft's and VeriSign's knowledge, the two certificates have not yet been used. However, a virus using the certificates could more easily fool people--even those who are careful to "only trust signed code"--into downloading a malicious program.

Also, it has been six weeks since VeriSign issued the codes. The certificates may have already been used to gain access into a company or government agency.

How can I avoid getting burnt by this?
Don't open e-mail attachments unless they were sent by a friend and you expected the attachment.

Don't download strange programs from the Internet. If a "Security Warning" dialog box does pop up, click on the company name to get more information.

To determine how to identify code signed with the bad signatures, see the extensive bulletin on the vulnerability published by Microsoft.

Can any digital signatures be trusted?
As this case shows, digital signatures alone are not a guarantee that you can trust signed code.

So far, the technology behind a digital signature can be trusted, but each user has to evaluate whether he or she trusts the other two parties involved.