Erroneous VeriSign-Issued Digital Certificates

ReportedMarch 22, 2001, by Microsoft.

VERSIONS AFFECTED

DESCRIPTION

On January 30 and 31, 2001, VeriSign erroneouslyissued two Class 3 code-signing certificates to someone claiming to be aMicrosoft employee. These certificates enable signing of macros, programs,ActiveX controls, and executable content. By default, Microsoft OSs don't trustthe content signed by these two certificates, even though the certificatesappear to come from Microsoft. VeriSign has revoked the certificates, and theyare listed in VeriSign’s Certificate Revocation List (CRL), but because thecertificates don't list a CRL Distribution Point (CDP), it isn't possible forthe browser to download this CRL for use. A warning dialog box will still bepresent before the signed content executes, even if “Microsoft Corporation”is listed as trusted.

VENDOR RESPONSE

Microsoft has issued security bulletin MS01-017 to address this vulnerability. The company has also released patches for Windows XP Beta 2, Windows 2000, Windows NT, Windows Millennium Edition (Me), Windows 98, and Windows 95. Users can download the patches from Microsoft's Web site. Also, be sure to read Microsoft's security bulletin to review the caveats to these patches.

Users who don't want to install the patches can remove the VeriSign Commercial Software Publishers CA certificate from the Trusted Root Store, as discussed in Microsoft article Q293819, and install the Outlook Email Security Update. Microsoft has also recommended using a utility called Office Document Open Confirmation Tool to decrease the level of risk this vulnerability presents. Microsoft article Q293817 provides further information about the false certificates.

CREDIT
Discoveredby Microsoft