Did you recently get some authenticated code from Microsoft? A VeriSign-certified message from Microsoft to a security department would get your attention pretty quickly, which is why Microsoft and VeriSign are so upset that the digital-signature certificate authority was recently tricked into issuing two Class 3 code-signing digital certificates to someone fraudulently claiming to work for Microsoft.
As Microsoft correctly points out, this is not technically a security vulnerability and isn’t due to any flaw in Microsoft programs. This problem is entirely due to human error by a third party, VeriSign—but that doesn’t make it any less dangerous than a bug in your software.
Danger level: Short-term but potentially extreme
The fraudulent signature makes it appear that executable code originated at Microsoft. So if the malefactor were to create a virus or other destructive code and send it out disguised as an urgent security patch, the chances are good that a number of users would immediately run the program, leading to untold damage.
The fact that you don’t regularly get messages from Microsoft doesn’t offer any protection because the code can come from MS-signed Office macros and ActiveX controls through Web pages or HTML e-mail.
In this case, the code would not automatically run, nor would it bypass any usual Microsoft program security. However, the usual warning message that appears and requires user intervention before executing the code would carry a message that this code originated at Microsoft and is therefore trusted code. (You can see a sample security warning on Microsoft’s TechNet site.) Even the most security-conscious manager could be reassured by such a message and be tricked into running the malicious code.
What’s most troubling about this major security fiasco is that the certificates were issued on Jan. 29 and 30 of this year, so by the time Microsoft Security Bulletin MS01-017 was originally issued—on March 22—a number of users could already have been tricked.
Who does this affect?
This is a problem for almost any Microsoft software user. In particular, it affects Windows 95, Windows 98, Windows Me, Windows NT 4.0, and Windows 2000.
What problems can this cause?
Microsoft described the situation like this:
“The certificates could be used to sign programs, ActiveX controls, Office macros, and other executable content. Of these, signed ActiveX controls and Office macros would pose the greatest risk, because the attack scenarios involving them would be the most straightforward. Both ActiveX controls and Word documents can be delivered via either Web pages or HTML mails. ActiveX controls can be automatically invoked via script, and Word documents can be automatically opened via script unless the user has applied the Office Document Open Confirmation Tool.”
What should you do?
Microsoft has developed a patch for Internet Explorer that will recognize and block these fraudulent certificates. See the next section for an exact description of the fraudulent certificates.
VeriSign has released the following identification of the fraudulent certificates and has stated that no valid Microsoft certificates were issued on these dates, so you can be certain that any with these issue dates are not valid.
- “Certificate 1:
Issued by VeriSign Commercial Software Publishers CA
Validity period is 1/29/2001 to 1/30/2002
Serial number is 1B51 90F7 3724 399C 9254 CD42 4637 996A
- “Certificate 2:
Issued by VeriSign Commercial Software Publishers CA
Validity period is 1/30/2001 to 1/31/2002
Serial number is 750E 40FF 97F0 47ED F556 C708 4EB1 ABFD”
If you encounter these certificates, VeriSign asks that you contact VeriSign's Emergency Security Team, (650) 429-5237 or e-mail firstname.lastname@example.org
Background on digital certificates
Digital certificates guarantee the authenticity of messages or executable code by showing that they came from the indicated source.
The actual certificates are protected by public key cryptography, but as this occurrence shows once again, the weakest link in any such security program is human error and the possibility that a perfectly valid certificate can be fraudulently obtained.
It’s important to remember that the certificates in question were completely valid, correct certificates, in no way was the underlying cryptography compromised, and there was no hole in Microsoft code. What happened here was that someone was able to trick VeriSign into believing that he was a Microsoft representative and was thus able to fraudulently obtain valid certificates.
Of the half-million Class 3 Certificates issued by VeriSign, this is the first known instance of erroneously issued certification. Because the case is being treated as a federal crime, few details are available.
This is VeriSign’s explanation of how a code-signing certificate is used:
“A VeriSign Code Signing Digital ID enables software developers to digitally sign software and macros for secure delivery over the Internet. Customers who download this signed content from a Web site can be confident that code really comes from a bona fide software publisher and hasn't been altered or corrupted since it was created and signed.”
More information on code signing is available from VeriSign.
Class 3 Certificates are very important. The easiest way to understand how important Class 3 Digital Certificates are is to look at the liability cap placed on various classes of certificates by the VeriSign agreement.
- “Class 1
$ 100.00 U.S.
- Class 2
$ 5,000.00 U.S.
- $ 100,000.00 U.S.”
Here’s VeriSign’s take on this debacle.
Lessons to be learned
VeriSign has already revoked the two fraudulent certificates, but this raises yet another problem—when digital certificates work correctly, they eliminate many security headaches. But since, as we now know, they can be fraudulently issued or revoked for other reasons, to be really secure you must:
- Ignore newly issued certificates to be certain they weren’t issued erroneously.
- Keep track of revoked certificates.
This adds yet another layer of tasks that any top-flight security operation must add.
You can download the revocation list here. You can also be notified through the VeriSign real-time Online Certificate Status Protocol (OCSP) Services.
Have a comment?
We look forward to getting your input and hearing your experiences regarding this topic. Join the discussion below or send the editor an e-mail.