Overview
On January 29 and 30, 2001, VeriSign, Inc. issued two certificates to
an individual fraudulently claiming to be an employee of Microsoft
Corporation. Any code signed by these certificates will appear to be
legitimately signed by Microsoft when, in fact, it is not. Although
users who try to run code signed with these certificates will
generally be presented with a warning dialog, there will not be any
obvious reason to believe that the certificate is not authentic.
I. Description
Microsoft released a security bulletin on March 22, 2001, describing
two certificates issued by VeriSign to an individual fraudulently
claiming to be an employee of Microsoft. The full text of Microsoft's
security bulletin is available from their web site at
microsoft.com
Additional information about this issue is also available from
VeriSign's web site:
verisign.com
This issue presents a security risk because even a reasonably cautious
user could be deceived into trusting the bogus certificates, since
they appear to be from Microsoft. Once accepted, these certificates
may allow an attacker to execute malicious code on the user's system.
This problem is the result of a failure by the certificate authority
to correctly authenticate the recipient of a certificate. Verisign has
taken the appropriate action by revoking the certificates in question.
However, this in itself is insufficient to prevent the malicious use
of these certificates until a patch has been installed, because
Internet Explorer does not check for such revocations automatically.
II. Impact
Anyone with the private portions of the certificates can sign code
such that it appears to have originated from Microsoft Corporation. If
the user approves the execution of code signed by one of the bogus
certificates, it can take any action on the system with the privileges
of the user who approved the execution. The fake certificates can only
be used for Authenticode signing.
III. Solution
Check "Microsoft Corporation" Certificates
You can identify the fake certificates by checking the validity dates
and serial numbers of the certificates. When prompted to authorize the
execution of code signed by "Microsoft Corporation", press the "More
Info" button to obtain additional information about the certificate
used to sign the code.
The fake certificates have the following description:
Issued to: Microsoft Corporation
Issued by: VeriSign Commercial Software Publishers CA
Valid from 1/29/2001 to 1/30/2002
Serial number is 1B51 90F7 3724 399C 9254 CD42 4637 996A
Issued to: Microsoft Corporation
Issued by: VeriSign Commercial Software Publishers CA
Valid from 1/30/2001 to 1/31/2002
Serial number is 750E 40FF 97F0 47ED F556 C708 4EB1 ABFD
No legitimate certificates were issued to Microsoft between January 29
and 30, 2001. Certificates with these initial validity dates or serial
numbers should not be authorized to execute code.
Best wishes,
I2 |
