Microsoft Product Support Services   All Products  |   Support  |   Search  |   microsoft.com Home  
microsoft.com
  Support Home  |   Find a Solution  |   Request Support  |   Custom Support  |

Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard


The information in this article applies to:
  • Microsoft Windows versions 2000, 2000 SP1 Advanced Server
  • Microsoft Windows versions 2000, 2000 SP1 Server
  • Microsoft Windows versions 2000, 2000 SP1 Professional
  • Microsoft Windows NT Server versions 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6a
  • Microsoft Windows NT Server, Enterprise Edition versions 4.0, 4.0 SP4, 4.0 SP5, 4.0 SP6a
  • Microsoft Windows NT Workstation versions 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6a
  • Microsoft Windows NT Server versions 4.0, 4.0 SP4, 4.0 SP5, 4.0 SP6, Terminal Server Edition
  • Microsoft Windows Millennium Edition
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows 98
  • Microsoft Windows 95


SUMMARY

VeriSign, Inc., recently advised Microsoft that on January 29 and 30, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation." The ability to sign executable content by using keys that purport to belong to Microsoft would clearly be advantageous to a malicious user who wanted to convince users to allow the content to run.

The certificates could be used to sign programs, ActiveX controls, Microsoft Office macros, and other executable content. Of these, signed ActiveX controls and Office macros would pose the greatest risk, because the attack scenarios involving them would be the most straightforward. Both ActiveX controls and Microsoft Word documents can be delivered by either Web pages or HTML e-mail messages. ActiveX controls can be automatically invoked by a script, and Word documents can be automatically opened by a script unless you have applied the Microsoft Office Document Open Confirmation tool.

Although the certificates state that they are owned by Microsoft, they are not real Microsoft certificates, and content that is signed by them would not be trusted by default. Trust is defined on a certificate-by-certificate basis, rather than on the basis of the common name. Therefore, a warning message would be displayed before any of the signed content could be run, even if you had previously agreed to trust other certificates with the common name "Microsoft Corporation." The danger is that even a security-conscious user might agree to let the content run, and might agree to always trust the fraudulent certificates.

VeriSign has revoked the certificates, and they are listed in the VeriSign current Certificate Revocation list (CRL). However, because the VeriSign code-signing certificates do not specify a CRL Distribution Point (CDP), it is not possible for any browser's CRL-checking mechanism to download the VeriSign CRL and use it. Microsoft has developed an update that rectifies this problem. The update package includes a CRL containing the two certificates, and an installable revocation handler that consults the CRL on the local computer, rather than attempting to use the CDP mechanism.

For additional information on this update, click the article number below to view the article in the Microsoft Knowledge Base:

Q293811 Update Available to Revoke Fraudulent Microsoft Certificates Issued by VeriSign


MORE INFORMATION

Mitigating Factors

  • The certificates are not trusted by default. Therefore, neither code nor ActiveX controls could be made to run without displaying a warning message. By viewing the certificate in such messages, you can easily recognize the certificates.


  • The certificates are not the real Microsoft code-signing certificates. Content that is signed by those keys can be distinguished from real Microsoft content.


For additional information about how to revoke the the trusted status for these certificates, click the article number below to view the article in the Microsoft Knowledge Base:
Q293816 How to Determine Whether You Have Accepted Trust for Fraudulent VeriSign-Issued Certificates
For additional information, see the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms01-017.asp

Additional query words: security_patch

Keywords : kb3rdparty kbWinME kbWin95 kbWin98 kbWin98SE
Issue type : kbinfo
Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400search kbwin2000AdvServSearch kbWinNTW400sp4 kbWinNTW400sp3 kbWinNTSsearch kbWinNTSEntSearch kbWinNTS400sp6 kbWinNTS400sp5 kbWinNTS400xsearch kbwin2000Ssearch kbwin2000ProSearch kbNTTermServSearch kbWinMEsearch kbWin95search kbWin98search kbWin98SEsearch kbExchange400 kbWinAdvServSearch kbWin2000AdvServSP1 kbWin95 kbWin98 kbWinME kbWin98SE kbCOMTI400SP2


Last Reviewed: March 31, 2001
© 2001 Microsoft Corporation. All rights reserved. Terms of Use.


Article ID: Q293818

Last Reviewed:
March 31, 2001

Send to a friend

Provided by
Microsoft Product Support Services


Did the information in this article help answer your question?

Yes
No
Did not apply

Please provide additional comments about this information.
(255 character max)