Microsoft says beware of stolen certificates

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,5079987,00.html?chkpt=zdhpnews01

By Robert Lemos
ZDNet News
UPDATED March 22, 2001 3:46 PM PT

Two digital certificates have been mistakenly issued in Microsoft's
name that could be used by virus writers to fool people into running
harmful programs, the software giant warned Thursday.  According to
Microsoft, someone posing as a Microsoft employee tricked VeriSign,
which hands out so-called digital signatures, into issuing the two
certificates in the software giant's name on Jan. 30 and Jan. 31.

Such certificates are critical for businesses and consumers who
download patches, updates and other pieces of software from the
Internet, because they verify that the software is being supplied from
a particular company, such as Microsoft.

In this case, a person using the VeriSign-issued certificates could
post a virus on the Web that would appear to be from Microsoft but
could actually be used to wipe out a person's hard drive, for example.

"Our main interest right now is to get the word out and let people
know what they can do," said Steve Lipner, manager of Microsoft's
Security Response Center. Microsoft first heard of the incident last
week when VeriSign notified the Redmond, Wash.-based company. Lipner
added that the FBI has been asked to investigate.

A Microsoft security bulletin issued Thursday states that the
vulnerability could affect "all customers using Microsoft products."

"The certificates could be used to sign programs, ActiveX controls,
Office macros, and other executable content," states the bulletin. "Of
these, ActiveX controls and Office macros would pose the greatest
risk, because the attack scenarios involving them would be the most
straightforward."

So far, there is no evidence that the certificates have been used,
Lipner said.

Normally, VeriSign assigns a new certificate after receiving an
appropriate request. Mahi de Silva, vice president and general manager
of applied services at the Mountain View, Calif., company, would not
elaborate on how the company verifies requests, but said, "Due to
human error we did not detect that the individual misrepresented that
they worked for Microsoft when, in fact, they did not."

After granting a request for new certificates, VeriSign verifies by
e-mail that its customer has ordered the new codes. In this case, "it
took awhile for the feedback loop from (Microsoft) to get back to us,"
de Silva said. Once VeriSign did hear back from Microsoft, the company
realized that the certificates should not have been issued.

"We screwed up in issuing the certificate," de Silva said. "However,
our second-stage fraud protection caught that mistake. We are not
trying to shift the blame."

The two certificates represent the first time VeriSign has falsely
issued such codes, de Silva added, noting that the company has handed
out more than 500,000 certificates. "Class 3" certificates come with
up to $100,000 in liability protection for the customer--in this case,
Microsoft.

VeriSign has "blacklisted" the certificates by placing them on a
revocation list. However, the certificates issued for software
authentication by VeriSign do not have a link the list and so do not
automatically protect customers against the fraudulent codes.

Microsoft said it intends to release an update next week that will
automatically detect the signatures and warn users that they are
invalid.

Roger Thompson, technical director of malicious code research for
security services company TruSecure, said the threat posed by the
certificates depends on who has access to them.

If an online vandal decided to spoof VeriSign just to brag, then there
will be little damage.

"It shouldn't be a problem as long as people understand what's going
on," he said. "The security bulletin tells how to determine if it is a
dead certificate, and any malicious code has to both fool the user and
any antivirus software."

Yet, if the cyberthief has an agenda, the damage could be significant.

"If it was someone with a purpose in mind, then six weeks is a long
time to do something," he said. If the attacker wanted to compromise a
company or a government agency by creating forged Microsoft-signed
certificates, the damage may already be done.

"If the job was to install a sniffer, then there could be a zillion
backdoors as a result of it," Thompson said. A sniffer allows an
intruder to grab everything typed by a person on a computer, including
passwords, and usually leads to a total compromise of security.

According to Thursday's security bulletin, detecting the phony "Class
3" certificates is fairly straightforward.

When people double-click a Web link to install a program, a "Security
Warning" dialog box pops up with details of the certificate used to
sign the code. The dialog box will appear even on computers where the
person had previously said to trust all Microsoft code.

People should click the hyperlinked "Microsoft Corporation" name to
get more information on the certificate. If the "Valid from" field
starts with either a Jan. 29, 2001, date or a Jan. 30, 2001, date, the
certificate is fraudulent and the person should not download the
software. (The time stamps are a day behind the issuing dates because
certificates are based on Greenwich Mean Time.)

Microsoft has asked anyone finding such a certificate to contact it at
secure () microsoft com

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".