saved
03-26-01, 05:19 AM
VeriSign, Inc., recently advised Microsoft that on January 30
and 31, 2001, it issued two VeriSign Class 3 code-signing
digital certificates to an individual who fraudulently claimed
to be a Microsoft employee. The common name assigned to both
certificates is "Microsoft Corporation...." However, even
though the certificates say they are owned by Microsoft, they
are not bona fide Microsoft certificates... The danger, of
course, is that even a security-conscious user might agree to
let the content execute, and might agree to always trust the
bogus certificates.
In other words, a malicious hacker fooled VeriSign into thinking he or
she was from Microsoft; VeriSign then issued "Microsoft" digital
certificates to this individual. Those certificates would make it seem
that the hacker's code was from Microsoft, and might fool people into
downloading and running the code--- which could do almost anything to
your system.
Note that this is a VeriSign problem, not a Microsoft problem. VeriSign
has revoked the bogus certificates, but there's still a residual risk
that you could still end up being presented with the fake, and now-
revoked, certificates due to a weakness in the way the VeriSign
Certificate Revocation List works.
To their credit, Microsoft is trying to develop a workaround that will
give users pseudo-access to the Certificate Revocation List, but because
this involves patching all Microsoft software that uses digital
certificates--- and that goes back to 1995 and includes all versions of
Win95, Win98, WinME, Win NT, and Win2000--- it's going to take a while.
In the meantime: If you download software allegedly from Microsoft and
see a digital certificate dated the 29th or 30th of January 2001,
reject it: No bona fide Microsoft certificates were issued on these
dates, so you won't be missing anything legitimate. In fact, all you'll
be missing is bogus--- and probably hostile--- code.
and 31, 2001, it issued two VeriSign Class 3 code-signing
digital certificates to an individual who fraudulently claimed
to be a Microsoft employee. The common name assigned to both
certificates is "Microsoft Corporation...." However, even
though the certificates say they are owned by Microsoft, they
are not bona fide Microsoft certificates... The danger, of
course, is that even a security-conscious user might agree to
let the content execute, and might agree to always trust the
bogus certificates.
In other words, a malicious hacker fooled VeriSign into thinking he or
she was from Microsoft; VeriSign then issued "Microsoft" digital
certificates to this individual. Those certificates would make it seem
that the hacker's code was from Microsoft, and might fool people into
downloading and running the code--- which could do almost anything to
your system.
Note that this is a VeriSign problem, not a Microsoft problem. VeriSign
has revoked the bogus certificates, but there's still a residual risk
that you could still end up being presented with the fake, and now-
revoked, certificates due to a weakness in the way the VeriSign
Certificate Revocation List works.
To their credit, Microsoft is trying to develop a workaround that will
give users pseudo-access to the Certificate Revocation List, but because
this involves patching all Microsoft software that uses digital
certificates--- and that goes back to 1995 and includes all versions of
Win95, Win98, WinME, Win NT, and Win2000--- it's going to take a while.
In the meantime: If you download software allegedly from Microsoft and
see a digital certificate dated the 29th or 30th of January 2001,
reject it: No bona fide Microsoft certificates were issued on these
dates, so you won't be missing anything legitimate. In fact, all you'll
be missing is bogus--- and probably hostile--- code.