The issue

One of the most used and respected issuer of digital certificates - VeriSign - recently made an announcement saying it had issued two digital certificates with the name Microsoft Corporation to a person claiming to be a Microsoft employee. The certificates were issued 29 and 30 January this year respectively. However, no certificates was requested by Microsoft these two days.

One therefore assumes that a person or persons with potential bad intent have acquired these certificates.

The implications

Digital certificates are used in Public Key Infrastructure (PKI); and the certificate consists of the Public key as well as information about the owner of the key, when it expires etc. The Public key can - and indeed is intended to - be shared with everyone, unlike the corresponding Private key, which must be kept secret and is used by the owner of the key pair. The use of a private key to encrypt a piece of data assures proof of authenticity and origin. It does not ensure safe encryption as anyone with a corresponding public key can decrypt the data.

The problem in this case, however, is that even though the data signed by one of these certificates seems to come from a Microsoft source, it does not.

Digital certificates can be used to sign e.g. a program or an ActiveX control which may be posted on a web site. ActiveX controls are powerful applications that may perform virtually any action that the user's credentials allow. Even though a user is always the first time prompted to accept/reject to start an application digitally signed by one of these two certificates, many may presume that such a program or ActiveX control supposedly digitally signed by Microsoft is safe to run. In this case this is not so!

The following Microsoft systems are in principle vulnerable:

• Microsoft Windows 95
• Microsoft Windows 98
• Microsoft Windows Me
• Microsoft Windows NT 4.0
• Microsoft Windows 2000

That is effectively all operating systems shipped by Microsoft since 1995!

The problem

The two erroneously issued digital certificates have the following characteristics:

• Issued by VeriSign Commercial Software Publishers CA Validity period is 1/29/2001 to 1/30/2002 Serial number is 1B51 90F7 3724 399C 9254 CD42 4637 996A
• Issued by VeriSign Commercial Software Publishers CA Validity period is 1/30/2001 to 1/31/2002 Serial number is 750E 40FF 97F0 47ED F556 C708 4EB1 ABFD

VeriSign has revoked the two certificates and updated its certificate revocation list (CRL). However, there are currently no automatic procedure for checking a certificate against this list. This is what an upcoming program update from Microsoft is supposed to remedy.

The solution - more information

Microsoft has announced that it will publish a program update, which revokes these two certificates. When this Security Information is written, this update was not available from Microsoft's web site. You should consult the Microsoft web page listed below for more information of the availability of the program update, and install the update upon availability to be protected.

More information is available from these URLs:

• Microsoft's Security Bulletin MS01-017
• VeriSign's Security Alert Fraud Detected in Authenticode Code Signing Certificates March 22, 2001
• CERT® Advisory CA-2001-04 Unauthentic "Microsoft Corporation" Certificates

Per Olav Førland