Microsoft Corp. Thursday warned that users of its software products should beware of two fraudulently obtained digital certificates mistakenly issued in its name.
Microsoft said VeriSign Inc. recently informed it that on Jan. 29 and 30, 2001, VeriSign erroneously issued two Class 3 code-signing certificates to a person posing as a Microsoft employee. Both certificates were assigned to “Microsoft Corporation,” and have the ability to sign executable content using keys that claim to belong to Microsoft.
“The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run,” Microsoft said in a security bulletin.
The certificates could be used to sign programs, ActiveX controls, Office macros and other executable content.
“Of these, signed ActiveX controls and Office macros would pose the greatest risk, because the attack scenarios involving them would be the most straightforward,” Microsoft. “Both ActiveX controls and Word documents can be delivered via either Web pages or HTML mails. ActiveX controls can be automatically invoked via script, and Word documents can be automatically opened via script unless the user has applied the Office Document Open Confirmation Tool.”
Microsoft confirmed that Windows 95, Windows 98, Windows Me, Windows NT 4.0 and Windows 2000 are affected by the vulnerability.
VeriSign has since revoked the certificates and listed them in its current Certificate Revocation List (CRL), but VeriSign’s code-signing certificates don’t specify a CRL Distribution Point (CDP) and thus it is not possible for a browser’s CRL-checking mechanism to download the VeriSign CRL and use it. Microsoft is working on patches that work around that issue using a CRL containing the two certificates and an installable revocation handler that consults the CRL on the local machine rather than attempting to use the CDP mechanism.
Microsoft said it will release patches for all platforms released since 1995, but also explained that the patches are not yet available because of the large number of platforms that need to be tested. However, there are steps that users can take before the patches become available.
First, Microsoft advised that users should visually inspect all certificates cited in warning dialogues by clicking on the “Microsoft Corporation” hyperlink in the dialogue box. The certificates were issued on Jan. 29 and Jan. 30, 2001, and no bona fide Microsoft certificates were issued on those dates.
Secondly, the company said users should install the Outlook Email Security Update to prevent the launch of mail-borne programs, and install the Office Document Open Confirmation Tool to force Web pages to request permission before opening Office documents.
Finally, Microsoft suggested that users consider temporarily removing the VeriSign Commercial Software Publishers CA certificate from the Trusted Root Store. However, the company noted that removing the certificate is a fairly drastic step which would initiate a warning dialogue anytime a code that was signed using a VeriSign-issue certificate is downloaded.
Fortunately, Microsoft said the two certificates are not trusted by default, even if a user has previously agreed to trust all downloads from Microsoft.
“As a result, neither code nor ActiveX controls could be made to run without displaying a warning dialogue,” the company said. “By viewing the certificate in such dialogues, users can easily recognize the certificates.”
The identity of the person who bought the certificates from VeriSign is not yet known. Microsoft said that it is working closely with VeriSign and law enforcement authorities to track down the person, “as it appears that several laws may have been broken during the purchase of these certificates.”
The company has asked that anyone encountering one of the fraudulent certificates contact it at secure@microsoft.com.
