VeriSign Inc. issued two code-signing certificates that have been found to be fraudulent and could be used to trick users into installing malicious code onto their computers, the security company said Thursday.
The certificates were issued in January to someone posing as an employee of Microsoft and the certificates bear the name "Microsoft Corporation," according to officials at both VeriSign and Microsoft.
VeriSign began investigating the certificates almost immediately after they were issued, but it was a full two weeks before they were officially revoked. Microsoft issued a security bulletin Thursday.
Users that download code electronically or from the Internet rely on code-signing certificates to verify the source of the software. The certificates pop up automatically before code is installed and provide the name of the code and the developer.
The holder of the bogus certificates could use them to digitally sign code indicating that it is a product from Microsoft. The certificates could be used to trick users into installing code they believe has come from the software giant.
There have not been any reports that the certificates are being used, and Microsoft and VeriSign are working with the FBI and local law enforcement to find the perpetrator.
Microsoft issued a warning Thursday to users to be suspect of any code-signing certificates that come from the company. A technical solution in the form of a software update is in the works and should be available next week.
Code-signing certificates, or Class 3 certificates as they are officially known, are typically used by Microsoft to verify the authenticity of ActiveX controls and Office macros. The certificates are not used to sign e-mail, device drivers or encrypted data.
Microsoft's Scott Culp, security program manager at the Microsoft Security Response Center, warned users to check certificates before installing code that may be distributed over the Internet or through HTML-based e-mail.
"This is a serious issue," says Culp. "Even a prudent, security-conscious person upon seeing a signed certificate might make the decision to trust that certificate." Culp characterized the incident as "corporate identity theft."
VeriSign blamed the mistake on human error. Class 3 certificates are the highest-grade certificates that can be ordered online, but before being issued they require VeriSign to call a specified representative of the corporation requesting the certificate. VeriSign would not verify if that is where the mostly automated process broke down.
"It was human error, and we are taking steps to ensure it can't be repeated," says Mahi deSilva, vice president and general manager of Applied Trust Services at VeriSign.
Microsoft officials are testing a software update that will cover Windows 95 and 98 desktops and Windows NT and 2000 desktops and servers. Updates also will be issued for other platforms that run Microsoft software, such as Macintosh.
The job of installing the update for enterprise users could be huge, because they will have to touch every copy of the Windows operating system software in their environment.
Automated software distribution will likely be a must.
"Our software could help distribute this update overnight when it becomes available," says Graeme Greenhill, president of Open Software Associates, which develops automated software distribution and management software called netDeploy.
Other distribution software, including Microsoft's System Management Server and Tally Systems' TS.Ready also offer automated software distribution. The update Microsoft is developing will install a revocation list within the operating system that will flag the bogus certificates and prevent users from installing any code signed with those certificates.
Code-signing certificates pop up a warning box before software is installed. Within the warning box is the name of the organization that has signed the code. The organization's name acts as a hyperlink to detailed information about the certificate.
Users should click on Microsoft's name within the certificate and look for the serial number 1B51 90F7 3724 399C 9254 or 750E 40FF 97F0 47ED F556. The dates of issue - Jan. 29 and Jan. 30 - also identify the certificates as bogus. Microsoft confirmed that no legitimate certificates were issued to it on those dates.
Microsoft's Culp also said users should install the Outlook Security Patch, which prevents the execution of any code delivered through HTML-based e-mail.
VeriSign says more than 500,000 code-signing certificates have been issued to date, and this is the first time any bogus certificates have been issued.
"We don't want to downplay the gravity of the situation, because the possibility of misuse is real," says VeriSign's deSilva. "But we are somewhat heartened by the fact that we haven't seen someone try to use these certificates. And we are somewhat ahead of the curve in making sure that desktops are inoculated."