Advisories

Jan 2001 - Advisory from VeriSign, Inc.

VeriSign, Inc, discovered through its routine fraud screening procedures that on 29 and 30 January 2001, it issued two digital certificates to an individual who fraudulently claimed to be a representative of Microsoft Corporation. VeriSign immediately revoked the certificates. The updated certificate revocation list (CRL) is available at http://crl.verisign.com/Class3SoftwarePublishers.crl or through VeriSign real-time Online Certificate Status Protocol (OCSP) Services.

The certificates were VeriSign Class 3 Software Publisher certificates and could be used to sign executable content under the name "Microsoft Corporation". The risk associated with these certificates is that the fraudulent party could produce digitally signed code and appear to be Microsoft Corporation. In this scenario, it is possible that the fraudulent party could create a destructive program or ActiveX control, then sign it using either certificate and host it on a Web site or distribute it to other Web sites.

What you should do:

VeriSign is working closely with Microsoft, which has developed an update that will protect customer desktops in the following ways: a) by downloading a VeriSign certificate revocation list (CRL) and enabling CRL checking for software publisher certificates, and b) by scanning the user's system for any sign that the user has previously accepted content signed using either certificate. The update will be available shortly, at which time Microsoft will provide specific details. VeriSign is encouraging all users to download this security update when it becomes available. For more information, see the Microsoft bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-017.mspx.

Alternately, whenever a user encounters signed objects, they have the ability to make a trust decision choosing to accept or reject the code based on the information presented by a warning dialog. This trust decision is handled on a per-certificate basis, and code cannot be made to run without displaying the warning dialogue to the user. If users encounter code or content signed by these fraudulent certificates, they should visually inspect the certificates cited in the warning dialogue and reject the code. Click here for instructions: Description of Authenticode warning dialog.

Finally, a number of vendors have deployed solutions to protect users and enterprises against the potential vulnerability posed by these fraudulently acquired certificates. These solutions include content filtering firewalls and virus scanning software to detect content digitally signed by these certificates.

For more information see: Network Associates

The two certificates were issued on 29 and 30 January 2001, respectively. No bona fide Microsoft certificates were issued on these dates. The offending certificates are:

Certificate 1:

Issued by VeriSign Commercial Software Publishers CA
Validity period is 1/29/2001 to 1/30/2002
Serial number is 1B51 90F7 3724 399C 9254 CD42 4637 996A

Certificate 2:

Issued by VeriSign Commercial Software Publishers CA
Validity period is 1/30/2001 to 1/31/2002
Serial number is 750E 40FF 97F0 47ED F556 C708 4EB1 ABFD

VeriSign considers any fraudulent activity extremely serious and is working with the proper authorities in an active investigation of this matter. The company also is taking active steps to augment technical controls and manual screening procedures around the vetting process of code signing digital certificates.

For more information, read our Frequently Asked Questions on this topic.

Questions regarding this incident should be directed to:

VeriSign's Emergency Security Team, 650-426-5237 or e-mail vest@verisign.com

VeriSign Media, Cheryl Regan, 703-742-4847, cregan@netsol.com

Brian O'Shaughnessy, 650-426-5270, boshaughnessy@verisign.com