Microsoft, VeriSign Warn of Security Hole

[William Knowles <wk () C4I ORG>]

http://www.pcworld.com/news/article/0,aid,45284,00.asp

Cameron Crouch, PCWorld.com
Thursday, March 22, 2001

Microsoft is issuing a warning to all Windows users that two VeriSign
digital certificates might falsely identify programs and patches as
trusted Microsoft products.

This means that a program you download from a Web site might carry a
certificate as Microsoft-approved and trustworthy, but it could
contain a virus or Trojan horse that could damage your system.

VeriSign takes responsibility, saying it mistakenly issued the
certificates to an individual posing as a Microsoft employee. The
bogus certificates are dated January 29 and 30, which is currently the
only way you can identify them, according to the Microsoft Security
Bulletin posted Thursday.

Microsoft is working on a patch to protect its users, although it
claims no one has yet used the certificates. The release could take
awhile, because it needs to "run on every operating system we've
issued in the last six years as well as ones we're working on now,"
says Scott Culp, program manager at Microsoft's security response
center.

VeriSign alerted Microsoft of the error during an audit last week and
revoked the certificates, Culp says.

Explaining Broken Trust

Part of public key cryptography, a digital signature allows you to
implant a signature on data using a digital key, Culp says. "The
signature proves two things: the origin and the authenticity of that
piece of data," he says. In other words, the signature proves it came
from the trusted sender and hasn't been tampered with on the way, he
adds.

A digital certificate serves as a third-party verification of the
identity of the person who digitally signed the data, Culp says. "You
would need my digital certificate to verify my digital signature. The
certificate is issued to me by a third-party ticket authority like
VeriSign," he says.

"If you check the signature using that certificate key, it lets you
know it was me who signed it and not someone else," he adds. Programs
are often digitally signed and have certificates to reassure you when
you download something from a Web site, Culp says.

Digital certificates don't let anything happen without your approval,
Culp adds. "If you see that warning dialog, don't assume it's a slam
dunk. Click on the link that says Microsoft, get a picture of that
certificate, and see if it was issued on January 29 or 30. No real
certificates were issued that day."

Also, make sure you have the latest Outlook e-mail security update, he
adds.

Should someone try to use the certificates to launch a virus or Trojan
horse, they'll either put the program on a Web site or send it via
e-mail, Culp says. "Outlook e-mail security update will block that
mail-based attack."

Security Holes Abound

Despite Microsoft's denial of responsibility, security expert William
Knowles cites this incident as just the latest in a line of recent
Microsoft security problems.

"A malicious third party could write a Trojan application that could
take over your system," says Knowles, an analyst at the Internet
security site C4I.org. And because it says it's from Microsoft, you're
likely to go ahead and trust it, he adds.

"The big risk is when you're getting new code--like a Word update.
It'll ask you, 'Do you trust this information as being from
Microsoft?'" Knowles says.

And Microsoft wants to take on yet more of your personal information
and assume greater security risk. Part of its .Net initiative,
Microsoft's HailStorm will hold your personal information on the
company's servers, Knowles says. That's coming from a company that
can't even keep its operating system or network secure, he adds. "I'm
finding less and less reason to trust Microsoft."

And despite the warning, he fears most people won't take the time to
check on digital certificates before approving a program that claims
to be from Microsoft, Knowles says. "If it says it's from Microsoft,
it says it's from Microsoft. I'd trust a level 3 VeriSign certificate
saying it's from Microsoft."



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".