VeriSign issues false Microsoft digital certificates

Microsoft Corp. on Thursday began to warn users that VeriSign Inc. erroneously issued two digital certificates to someone masquerading as a Microsoft representative in January, potentially giving the fraudulent party the means to trick users into running malicious programs through a Web site or e-mail attachment.

The program signing digital certificates, created and issued by VeriSign on Jan. 29 and 30, were compromised as a result of “stage one failure due to human behavior to confirm the [imposter’s] identity,” said Mahi DeSilva, vice president and general manager of supply trust services at VeriSign, in Mountain View, Calif.

“We have issued 500,000 certificates using this process and these are the only two certificates known to be fraudulently acquired,” DeSilva said. “We have been asked by the FBI not to disclose specific details around this, but the fact of the matter is we had human failure around corroboration of those events.”

He added, “This is an online process, and we require each applicant to give us information about themselves as a resident of a corporation — also separate verifiable information and separate billing information.”

DeSilva said two human beings look at each digital certificate enrollment and issuance performed by VeriSign. The company said its stage two fraud detection system discovered the failure. VeriSign declined to divulge too much information about its internal certificate process, citing concern that potential perpetrators could model the attacks against the security company’s systems.

VeriSign and Microsoft said there is no known fraudulent code that has been signed by the pair of bogus certificates.

The stolen certificates are used for Microsoft’s Authenticode program, a program signing initiative for digitally signing software and content distributed online.

Microsoft, in Redmond, Wash., first learned of the stolen certificates after being alerted by VeriSign following a post-audit conducted in March that revealed the mistaken issuance, said Scott Culp, security program manager of Microsoft’s Security Response Center.

“The only reason that Microsoft is involved in this issue is because our name happens to be on the digital certificate VeriSign erroneously issued,” Culp said. “This is strictly an issue of a third party not following proper procedures and issuing a piece of identification to someone saying they’re Microsoft when they obviously weren’t.”

Culp said after it was notified, the software giant did a physical inventory of every certificate ever issued by VeriSign and found all were present and accounted for and safely locked away and in good working order.

Microsoft has already posted a security bulletin detailing the vulnerability and notification that affected software could include Microsoft Windows 95, 98, Windows Me, Windows NT 4.0, and Windows 2000. A patch to protect users against the problem for all Microsoft platforms offered in the last six years could be ready by next week, Culp added.

Culp said there are two most likely means for someone to create attacks with the heisted certificates: creating a program and trying to get users to a Web site containing malicious code, or creating an attack embedded in HTML and sending it to users via an e-mail attachment. Installing the latest version of Microsoft’s Outlook e-mail security update should block either attempt, according to Culp.

Culp said the digital certificates are only capable of being used to sign programs including executables, ActiveX, and Microsoft Office macros. They cannot be used for encrypting data, signing e-mails, or signing device drivers.

Users should take advantage of a guaranteed warning dialogue — showing the two bogus January issue dates — that will appear with the certificates every time programs are signed using them, Culp said. Still, he said loyal Microsoft users and customers could be tricked due to a false sense of security about the company’s products.

“Even a prudent person reading that dialogue, may say ‘I trust content from Microsoft and it’s OK to let it run.’ The purpose of [the security] bulletin is to change that thinking,” he added.

Culp said the forthcoming Microsoft security software update will allow Microsoft Explorer to check for the local copy certification replication list that contains the profile of the two fraudulent certificates.