One week after Microsoft Corp. said two false digital certificates were issued in its name by VeriSign Inc., the software giant has patched the security holes.
Consumers who check the company’s security bulletin will find the cure here.
VeriSign mistakenly issued two Class 3 certificates to an employee claiming
to be a Microsoft employee in late January. The certificates could be used
to sign programs, ActiveX controls, Office macros and other executable
content. Microsoft said Windows 95, Windows 98, Windows Me, Windows NT 4.0
and Windows 2000 are affected by the vulnerability.
A digital certificate is used to sign off, so to speak, on electronic
documents, such as contracts, Web sites and code. Certificates verifiy that
an author has signed the document. Unfortunately for Microsoft, the
certificates are part of its software verification scheme.
“Of these, signed ActiveX controls and Office macros would pose the greatest
risk, because the attack scenarios involving them would be the most
straightforward,” Microsoft said in the security bulletin. “Both ActiveX controls and Word documents can be delivered
via either Web pages or HTML mails. ActiveX controls can be automatically
invoked via script, and Word documents can be automatically opened via
script unless the user has applied the Office Document Open Confirmation
Tool.”
Theoretically, a hacker could trigger a Trojan horse or some form of
executable virus and make it look as though Microsoft was the perpetrator.
VeriSign VP Mahi deSilva took some responsibility last week for the problem,
saying that an employee had not followed the company’s established
procedures. VeriSign has since revoked the certificates and listed them in
its current Certificate Revocation List (CRL), but VeriSign’s code-signing
certificates don’t specify a CRL Distribution Point (CDP). Accordingly, it
was not possible for a browser’s CRL-checking mechanism to download the
VeriSign CRL and use it.
For best possible use of the patch, Microsoft strongly recommends that
customers use Internet Explorer 5 or later before installing the
update. The update will be included in Windows XP Gold and Windows 2000
Service Pack 2, as well as in Internet Explorer 6.
While Microsoft has scurried to rectify the breach, the fraudulent
certificates come at an inconvenient time for the firm, which is preaching
security and privacy in light of several questions raised by its pending
software-as-a-service strategy HailStorm.
Most of what the public knows as HailStorm is based on Passport and is
geared to provide both privacy and security protection and personalization
services across all sites that implement it. It will enable consumers to
have a single sign-on to all .Net-based sites and to create preferences.
Still, Gartner Group has said that VeriSign should bear the brunt of
responsibility and must act on it by undertaking a security audit to ensure
that other fraudulent certificates have not been issued under other trusted
names, as well as provide proof that it has rectified the deficiencies that
led to this problem. The research firm went so far as to suggest that
enterprises remove the VeriSign Commercial Software Publishers CA
certificate from the Trusted Root Store in all browsers if VeriSign does not
take these actions by May.