IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ADVISORY 01-006

Warning Not To Accept VeriSign Microsoft Digital Certificates dated January 29-30, 2001
March 23, 2001

Microsoft Corporation and VeriSign Incorporated have issued advisories regarding the theft of two VeriSign Class 3 Software Publisher digital certificates. The certificates are dated January 29 and 30, 2001, and should not be accepted. The FBI is investigating this matter.

The NIPC concurs that this incident poses a significant security threat because an unauthorized user of these certificates could misrepresent malicious software as an authentic Microsoft product. These include, for example, programs, updates, patches, macros, and other downloads available over the Internet. The NIPC is advising all Internet users to manually approve all certificates until a patch is available and installed, which is currently under development by Microsoft.

Digital certificates are designed to protect both businesses and consumers. First, they help verify a web site, so consumers know that they are dealing with a legitimate web site of a particular company. Second, they protect the secure communications between the company and the consumer, such as any e-commerce information or private information about the consumer. Finally, digital certificates authorize the execution of certain code, primarily ActiveX. Consumers that ignore messages about inconsistencies in a web site's certificates open their systems up to the possibility of receiving malicious code.

A stolen digital certificate may allow the thief to present his or her web site or software as coming from a trusted source, in this case Microsoft. Running malicious software (written in ActiveX, Java, JavaScript, or Visual Basic, for example) could easily damage or compromise a user's system. The effects range from deleting or overwriting key system files to installing software or extracting data from files or cookies—including private or financial information.

VeriSign has revoked the fraudulent certificates. However, neither Internet Explorer nor Netscape Navigator will recognize and reject them automatically. Although Netscape Navigator does not execute ActiveX, Java and other software may still affect Netscape users. Until a patch is available, the short-term solution is to review every certificate manually. Both Internet Explorer and the Netscape browser will allow at least an initial review of the certificate before allowing certain executable code to run. To review the certificate, click on the signer's name to see the details of the certificate. If it states that it was issued to Microsoft by VeriSign on January 29 or 30, 2001, do not accept the certificate. Microsoft did not receive legitimate certificates on those dates.

Users should also check to see if they have accepted the certificates since their issuance. Netscape Navigator users can review their certificates by clicking on the Security button, and then selecting Certificates and Signers. Users of Internet Explorer, version 4.0, can examine their systems by clicking on View, Internet Options, and selecting the Content tab, and then the Publishers button in the Certificates box. Users of Internet Explorer, version 5.0, can examine their systems by clicking on Tools, Internet Options, and selecting the Content tab, and then the Certificates button.

If you find the certificates described above, please report this to your local FBI Field Office or the NIPC Watch and Warning Unit at (202) 323-3205. Incidents can be reported online at http://www.nipc.gov/incident/incident.htm.

Additional information regarding this problem is available from the following organizations:

Microsoft Corporation
http://www.microsoft.com/technet/security/bulletin/MS01-017.asp

VeriSign Incorporated
http://www.verisign.com/developer/notice/authenticode/index.html

CERT/CC
http://www.cert.org/advisories/CA-2001-04.html