Microsoft warns of hijacked certificates

VeriSign issues two digital certificates in the software giant's name that could allow viruses and malicious programs to pose as legitimate patches and updates.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
Two digital certificates have been mistakenly issued in Microsoft's name that could be used by virus writers to fool people into running harmful programs, the software giant warned Thursday.

see story: FAQ According to Microsoft, someone posing as a Microsoft employee tricked VeriSign, which hands out so-called digital signatures, into issuing the two certificates in the software giant's name on Jan. 30 and Jan. 31.

Such certificates are critical for businesses and consumers who download patches, updates and other pieces of software from the Internet, because they verify that the software is being supplied from a particular company, such as Microsoft.

In this case, a person using the VeriSign-issued certificates could post a virus on the Web that would appear to be from Microsoft but could actually be used to wipe out a person's hard drive, for example.

"Our main interest right now is to get the word out and let people know what they can do," said Steve Lipner, manager of Microsoft's Security Response Center. Microsoft first heard of the incident last week when VeriSign notified the Redmond, Wash.-based company. Lipner added that the FBI has been asked to investigate.

A Microsoft security bulletin issued Thursday states that the vulnerability could affect "all customers using Microsoft products."

Gartner analyst John Pescatore says VeriSign's issuing of bogus bona fides points to an apparent problem with its process for verifying the legitimate identity of applicants for digital certificates.

see commentary

"The certificates could be used to sign programs, ActiveX controls, Office macros, and other executable content," states the bulletin. "Of these, ActiveX controls and Office macros would pose the greatest risk, because the attack scenarios involving them would be the most straightforward."

So far, there is no evidence that the certificates have been used, Lipner said.

Normally, VeriSign assigns a new certificate after receiving an appropriate request. Mahi de Silva, vice president and general manager of applied services at the Mountain View, Calif., company, would not elaborate on how the company verifies requests, but said, "Due to human error we did not detect that the individual misrepresented that they worked for Microsoft when, in fact, they did not."

After granting a request for new certificates, VeriSign verifies by e-mail that its customer has ordered the new codes. In this case, "it took awhile for the feedback loop from (Microsoft) to get back to us," de Silva said. Once VeriSign did hear back from Microsoft, the company realized that the certificates should not have been issued.

"We screwed up in issuing the certificate," de Silva said. "However, our second-stage fraud protection caught that mistake. We are not trying to shift the blame."

The two certificates represent the first time VeriSign has falsely issued such codes, de Silva added, noting that the company has handed out more than 500,000 certificates. "Class 3" certificates come with up to $100,000 in liability protection for the customer--in this case, Microsoft.

VeriSign has "blacklisted" the certificates by placing them on a revocation list. However, the certificates issued for software authentication by VeriSign do not have a link the list and so do not automatically protect customers against the fraudulent codes.

Microsoft said it intends to release an update next week that will automatically detect the signatures and warn users that they are invalid.

Roger Thompson, technical director of malicious code research for security services company TruSecure, said the threat posed by the certificates depends on who has access to them.

If an online vandal decided to spoof VeriSign just to brag, then there will be little damage.

"It shouldn't be a problem as long as people understand what's going on," he said. "The security bulletin tells how to determine if it is a dead certificate, and any malicious code has to both fool the user and any antivirus software."

Yet, if the cyberthief has an agenda, the damage could be significant.

"If it was someone with a purpose in mind, then six weeks is a long time to do something," he said. If the attacker wanted to compromise a company or a government agency by creating forged Microsoft-signed certificates, the damage may already be done.

"If the job was to install a sniffer, then there could be a zillion backdoors as a result of it," Thompson said. A sniffer allows an intruder to grab everything typed by a person on a computer, including passwords, and usually leads to a total compromise of security.

According to Thursday's security bulletin, detecting the phony "Class 3" certificates is fairly straightforward.

When people double-click a Web link to install a program, a "Security Warning" dialog box pops up with details of the certificate used to sign the code. The dialog box will appear even on computers where the person had previously said to trust all Microsoft code.

People should click the hyperlinked "Microsoft Corporation" name to get more information on the certificate. If the "Valid from" field starts with either a Jan. 29, 2001, date or a Jan. 30, 2001, date, the certificate is fraudulent and the person should not download the software. (The time stamps are a day behind the issuing dates because certificates are based on Greenwich Mean Time.)

Microsoft has asked anyone finding such a certificate to contact it at secure@microsoft.com.