RealTime IT News

Microsoft Creates Patch for Digital Certificate Holes

One week after Microsoft Corp. said two false digital certificates were issued in its name by VeriSign Inc., the software giant has patched the security holes.

Consumers who check the company's security bulletin will find the cure here.

VeriSign mistakenly issued two Class 3 certificates to an employee claiming to be a Microsoft employee in late January. The certificates could be used to sign programs, ActiveX controls, Office macros and other executable content. Microsoft said Windows 95, Windows 98, Windows Me, Windows NT 4.0 and Windows 2000 are affected by the vulnerability.

A digital certificate is used to sign off, so to speak, on electronic documents, such as contracts, Web sites and code. Certificates verifiy that an author has signed the document. Unfortunately for Microsoft, the certificates are part of its software verification scheme.

"Of these, signed ActiveX controls and Office macros would pose the greatest risk, because the attack scenarios involving them would be the most straightforward," Microsoft said in the security bulletin. "Both ActiveX controls and Word documents can be delivered via either Web pages or HTML mails. ActiveX controls can be automatically invoked via script, and Word documents can be automatically opened via script unless the user has applied the Office Document Open Confirmation Tool."

Theoretically, a hacker could trigger a Trojan horse or some form of executable virus and make it look as though Microsoft was the perpetrator.

VeriSign VP Mahi deSilva took some responsibility last week for the problem, saying that an employee had not followed the company's established procedures. VeriSign has since revoked the certificates and listed them in its current Certificate Revocation List (CRL), but VeriSign's code-signing certificates don't specify a CRL Distribution Point (CDP). Accordingly, it was not possible for a browser's CRL-checking mechanism to download the VeriSign CRL and use it.

For best possible use of the patch, Microsoft strongly recommends that customers use Internet Explorer 5 or later before installing the update. The update will be included in Windows XP Gold and Windows 2000 Service Pack 2, as well as in Internet Explorer 6.

While Microsoft has scurried to rectify the breach, the fraudulent certificates come at an inconvenient time for the firm, which is preaching security and privacy in light of several questions raised by its pending software-as-a-service strategy HailStorm.

Most of what the public knows as HailStorm is based on Passport and is geared to provide both privacy and security protection and personalization services across all sites that implement it. It will enable consumers to have a single sign-on to all .Net-based sites and to create preferences.

Still, Gartner Group has said that VeriSign should bear the brunt of responsibility and must act on it by undertaking a security audit to ensure that other fraudulent certificates have not been issued under other trusted names, as well as provide proof that it has rectified the deficiencies that led to this problem. The research firm went so far as to suggest that enterprises remove the VeriSign Commercial Software Publishers CA certificate from the Trusted Root Store in all browsers if VeriSign does not take these actions by May.