Microsoft is developing updates for all versions of its Windows operating systems, from Windows 95 forward, for a digital certificate glitch that originated at security services vendor VeriSign.
The companies warned recently that two digital certificates mistakenly issued in Microsoft's name could be used by malicious attackers to trick users into running unsafe programs. An advisory on Microsoft's Web site alerted users to any certificates issued on January 29 or 30 and recommended some self-protection measures.
Digital certificates are used to prove the origin and authenticity of software programs and data on the Internet, a key requirement for users who are downloading patches or software updates. VeriSign and rival certificate authorities generate and digitally sign such certificates after first verifying the identity of the individual or organisation that submitted the request.
"I don't like it," Josh Turiel, MIS manager at US-based Holyoke Mutual Insurance said of the situation. His company has policies that prohibit any e-mail attachments from getting into the corporate network. And only network and systems administrators have the authority to install or download anything. But such measures may not be enough to protect against all the means of attack possible with the theft of these certificates, Turiel said.
"The obvious concern is that this makes it easier for someone to slip something through a weak link" that may have been overlooked until now, he said.
There's no telling what the holder of the two certificates might do with them, said Russ Cooper, an analyst at security consulting firm TruSecure. But it's possible they could be used to sign a virtually unlimited amount of malicious code, he warned. "There's no mechanism to undo what has happened other than Microsoft spending money and time coming up with an update," he said.
The lapse raises serious questions about VeriSign's practices in issuing certificates, Cooper added. Class 3 certificates, the kind that were issued, are supposed to be issued only after the most stringent measures have been applied to ensure that the identity of the applicant is valid. "Obviously, that did not happen," he said. "Something broke down."
VeriSign's alert said the company is "taking active steps to augment technical controls and manual screening procedures around the vetting process of code-signing digital certificates." Mahi deSilva, a VeriSign vice president and general manager, blamed the snafu on human error and said the company's automated and manual processes for examining certificate applications and identifying the individuals who submit them had held up.
In fact, deSilva said during an interview, it was because VeriSign's process functioned properly that the company was able to discover the fraud. The person to whom VeriSign issued the certificates "was able to get through the screening process as a bona fide representative of Microsoft only because of human error," he said.
The certificates were erroneously issued in late January by VeriSign to an individual who claimed to be a Microsoft employee. The certificates "are of a type that can be used to digitally sign programs, including ActiveX controls and Office macros," thus appearing to make it look like the programs are bona fide Microsoft products, the advisory stated.
An attacker armed with the certificates could potentially host a malicious program on a Web site and then try to fool users into installing and running the software, Microsoft said. The attacker could also choose to package the malicious code as an ActiveX control, an Office document with macros or other executable content.
VeriSign has revoked the fraudulent certificates and included them in its Certification Revocation List. But Microsoft said the list can't be automatically downloaded by Web browsers, and that has forced the company to develop an operating system update with information about the revoked certificates. Microsoft said the operating system updates aren't available yet "because of the large number of platforms that must be tested".