Microsoft warns of hijacked certificates
By Robert Lemos
Special to CNET News.com
March 22, 2001, 2:20 p.m. PT
update Two digital certificates have been mistakenly issued in Microsoft's name that
could be used by virus writers to fool people into running harmful programs, the
software giant warned Thursday.
According to Microsoft, someone posing as a Microsoft employee tricked
VeriSign, which hands out so-called digital signatures, into issuing the two
certificates in the software giant's name on Jan. 30 and Jan. 31.
Such certificates are critical for businesses and consumers who download
patches, updates and other pieces of software from the Internet, because
they verify that the software is being supplied from a particular company, such as Microsoft.
In this case, a person using the VeriSign-issued certificates could post a virus on the Web that
would appear to be from Microsoft but could actually be used to wipe out a person's hard drive,
for example.
"Our main interest right now is to get the word out and let people know what they can do," said
Steve Lipner, manager of Microsoft's Security Response Center. Microsoft first heard of the
incident last week when VeriSign notified the Redmond, Wash.-based company. Lipner added
that the FBI has been asked to investigate.
A Microsoft security bulletin issued Thursday states that the vulnerability could affect "all
customers using Microsoft products."
"The certificates could be used to sign programs, ActiveX controls, Office macros, and other
executable content," states the bulletin. "Of these, ActiveX controls and Office macros would
pose the greatest risk, because the attack scenarios involving them would be the most
straightforward."
So far, there is no evidence that the certificates have been used, Lipner said.
Normally, VeriSign assigns a new certificate after receiving an appropriate request. Mahi de
Silva, vice president and general manager of applied services at the Mountain View, Calif.,
company, would not elaborate on how the company verifies requests, but said, "Due to human
error we did not detect that the individual misrepresented that they worked for Microsoft when,
in fact, they did not."
After granting a request for new certificates, VeriSign verifies by e-mail that its customer has
ordered the new codes. In this case, "it took awhile for the feedback loop from (Microsoft) to
get back to us," de Silva said. Once VeriSign did hear back from Microsoft, the company
realized that the certificates should not have been issued.
"We screwed up in issuing the certificate," de Silva said. "However, our second-stage fraud
protection caught that mistake. We are not trying to shift the blame."
The two certificates represent the first time VeriSign has falsely issued such codes, de Silva
added, noting that the company has handed out more than 500,000 certificates. "Class 3"
certificates come with up to $100,000 in liability protection for the customer--in this case,
Microsoft.
VeriSign has "blacklisted" the certificates by placing them on a revocation list. However, the
certificates issued for software authentication by VeriSign do not have a link the list and so do
not automatically protect customers against the fraudulent codes.
Microsoft said it intends to release an update next week that will automatically detect the
signatures and warn users that they are invalid.
Roger Thompson, technical director of malicious code research for security services company
TruSecure, said the threat posed by the certificates depends on who has access to them.
If an online vandal decided to spoof VeriSign just to brag, then there will be little damage.
"It shouldn't be a problem as long as people understand what's going on," he said. "The
security bulletin tells how to determine if it is a dead certificate, and any malicious code has to
both fool the user and any antivirus software."
Yet, if the cyberthief has an agenda, the damage could be significant.
"If it was someone with a purpose in mind, then six weeks is a long time to do something," he
said. If the attacker wanted to compromise a company or a government agency by creating
forged Microsoft-signed certificates, the damage may already be done.
"If the job was to install a sniffer, then there could be a zillion backdoors as a result of it,"
Thompson said. A sniffer allows an intruder to grab everything typed by a person on a
computer, including passwords, and usually leads to a total compromise of security.
According to Thursday's security bulletin, detecting the phony "Class 3" certificates is fairly
straightforward.
When people double-click a Web link to install a program, a "Security Warning" dialog box
pops up with details of the certificate used to sign the code. The dialog box will appear even on
computers where the person had previously said to trust all Microsoft code.
People should click the hyperlinked "Microsoft Corporation" name to get more information on
the certificate. If the "Valid from" field starts with either a Jan. 29, 2001, date or a Jan. 30,
2001, date, the certificate is fraudulent and the person should not download the software. (The
time stamps are a day behind the issuing dates because certificates are based on Greenwich
Mean Time.)
Microsoft has asked anyone finding such a certificate to contact it at secure@microsoft.com.
news.cnet.com |
