Advisories - Fraud Detected in Authenticode FAQ's from VeriSign, Inc.

You Are Here: US Home > Support > Advisories > Fraud Detected in Authenticode FAQ's

Advisories

Fraud Detected in Authenticode FAQ's

These FAQs address questions about a Security Alert issued by VeriSign regarding fraudulently issued Authenticode Code Signing Certificates.

Frequently Asked Questions

Where can I get more information?

VeriSign has issued a Security Alert. Microsoft has also issued a Security Bulletin, available at http://www.microsoft.com/technet/security/bulletin/MS01-017.asp.

What should I do if I encounter content signed by these fraudulent certificates?

Contact VeriSign Emergency Security Team immediately at vest@verisign.com or 650-426-5237

What risk does this pose for Microsoft? And users of Microsoft Software?

The risk associated with these certificates is that the fraudulent party could produce digitally signed code and appear to be Microsoft Corporation. In this scenario, it is possible that the fraudulent party could create a destructive program or ActiveX control, then sign it using either certificate and host it on a Web site or distribute it to other Web sites. If a user were to encounter this code or content, they would see a warning dialogue explaining that the code was digitally signed by Microsoft Corporation. The user would always see a warning dialog even if Microsoft were already a trusted software publisher (trust is handled on a per-certificate basis). To see details of this process follow these instructions.

Do these certificates pose the same risk to other code signing initiatives, like Netscape Object Signing?

No. These digital certificates do not pose the same potential for risk outlined above to Netscape object signing, Java code signing, or any of the other code signing initiatives supported by VeriSign. The fraudulent certificates are issued from a Certificate Authority that is specific to the Microsoft Authenticode Program.

What is a code signing certificate?

VeriSign Code Signing Digital ID enables software developers to digitally sign software and macros for secure delivery over the Internet. Customers who download this signed content from a Web site can be confident that code really comes from a bona fide software publisher and hasn't been altered or corrupted since it was created and signed. For more information please view the Verisign Code Signing Products pages.

How did the company detect the fraud?

The company detected the fraud through a routine stage two screening process. When we confirmed the existence of fraud, we immediately revoked the certificates.

Are you and the authorities investigating this matter?

We are working with Microsoft and law enforcement agencies as part of our investigation. It is premature and may compromise our investigation to offer any further comments.

How does revocation work? Is that enough to protect users?

The upcoming update from Microsoft will enable revocation checking for bad Authenticode code signing certificates. If the user's computer has the security update, the users are not vulnerable to this potential attack.

Is there any software available to protect against content signed by these fraudulent certificates?

A number of vendors have deployed solutions to protect users and enterprises against the potential vulnerability posed by these fraudulently acquired certificates.

Who's at risk?

Users of Microsoft Internet Explorer are potentially vulnerable to this risk -- Versions 4.0, 4.01, 5.0, 5.01 and 5.5.

What happened? Did VeriSign follow normal procedures? What are doing to avoid this in the future?

As good as our process is, we did not detect fraud at issuance - stage one. This was due to human error. We did detect fraud at stage two. We discovered the fraud during routine fraud screening. That said, we are actively implementing controls to improve our internal processes to prevent first stage failures to detect fraud. We will be adding technical controls as well as more manual checks and balances to prevent this from occurring in the future.

Were the certificates issued to one or more parties?

We believe they were issued to a single entity. We are working with law enforcement authorities and with Microsoft and cannot disclose any more details at this time.

Have the certificates been revoked? What can still happen?

Yes, the certificates have been revoked. When a certificate is revoked, the certificate authority that issued it changes the status of a certificate from 'valid' to 'revoked' and publishes a certificate revocation list (CRL) containing the serial number of the revoked certificate. You can check against the CRL to see if it has been revoked. Few applications automatically check the CRL status. From a practical perspective, it is not enough protection to check the digital signature of the signed content. Revocation checking is needed and should occur on a real-time or near-time basis.

Microsoft has developed an update for its Internet Explorer browser and related operating system software. It is very important that users install this update. Please consult http://www.microsoft.com/technet/default.asp for availability of this update.

How often does this happen?

VeriSign has issued more than half a million (500,000) Class 3 certificates, and this is the first and only known instance in which we have discovered fraud in any of our class 3 certificates, which include all our code signing certificates.

What guidelines do you follow to issue digital certificates?

We publish our guidelines in VeriSign's Certification Practices statement, see https://www.verisign.com/repository/CPS/. Details can be found in Section 2.2.3 for Validation of Class 3 Organization certificates. Section 4.3 covers specifics for code signing certificates and Section 5 covers the validation of certification applications.

What fraud was committed in this case?

The party who obtained the certificate was acting fraudulently and against federal law by misrepresenting themselves as employees and representatives of Microsoft Corporation.

What precautions can you take to prevent this from happening again?

We use an extensive fraud detection process that is unmatched in the industry and sets a very high bar in ensuring that fraudulent requests are rejected. Still, we are continuously evaluating and improving our processes to maintain a high quality of service to our customers, and at the same time making it extremely difficult to defeat.

Are you working with the FBI? Have they accepted the case?

We are working with law enforcement agencies. They are working this as an active case. They do not communicate anything on an active investigation. This is being treated as a federal crime.

Will Microsoft issue a bulletin to its customers?

Yes, it is available at http://www.microsoft.com/technet/default.asp. Please consult this link for the availability of a planned update from Microsoft to protect against potential harm caused by these certificates.


Related Products & Services
Code Signing
SSL Certificates
Payment Processing


Contact Us
Contact Support >>
Guides
Code Signing Digital Certificates for Adobe AIR Technology
Authenticated Content Signing - Tech Guide
Digitally Sign Your Downloadable Code
Data Sheets
Authenticated Content Signing
Tours & Demos
Code and Content Signing Demo
Newsletter

Report Code Signing Abuse