Digital certificates are used to electronically sign computer programs and patches so that end users can be assured that the code came from a particular person or company, and was not subject to tampering in transit. The technology relies on trusted third-party "certificate authorities" who issue the certificates and vouch for their authenticity to users.
On 30 and 31 January, someone posing as a Microsoft employee persuaded VeriSign, the largest US certificate authority, to issue two certificates under Microsoft's name.
"They came to our Web site, they signed on as a Microsoft employee... and provided enough correlatable information that led us to believe that it was a bona fide order," says Mahi deSilva, VP of applied trust service at VeriSign.
VeriSign has procedures in place to prevent such chicanery, deSilva said, but on this occasion a company employee failed to properly verify the order. "It was our failure, and it was human error."
Law enforcement is investigating.
Microsoft warned that the culprit could use the certificates to trick users into running malicious code, signing Trojan horses and viruses with Microsoft's name, then planting them on Web sites or sending them via e-mail. Users would still have to click Yes in a dialog box before the code would execute.
"The certificates could be used to digitally sign programs, ActiveX controls, Office macros and other executable content," a company spokesman said. "Once we were informed of the error by VeriSign last week, we immediately began taking steps to protect our customers."
Microsoft plans to distribute software to revoke the fraudulent certificates. In the meantime, the company encourages users to keep their eyes open for certificates dated 30 or 31 January. No legitimate Microsoft certificates were issued those days.
Further information is available from VeriSign.
According to a source familiar with the incident, the hacker used a stolen credit card number to obtain the certificates - a detail deSilva would neither confirm nor deny.
"We've been asked not to talk about the specifics. But there is an active investigation with the bank associated with that card, around the usage of that card." ®
Copyright © 2001 SecurityFocus.com. All rights reserved.