SystemPro News - 2001-03-23


Microsoft recently issued a Security Bulletin stating that Versign, Inc. - the leading provider of security certificates - has issued two certificate with the corporate name "Microsoft Corporation" to an individual who fraudulently claimed to be a Microsoft employee.

The certificates in question were class 3 code signing certificates. They were issued on January 30th and 31, 2001. The common name assigned to both certificates is "Microsoft Corporation". The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run.

The certificates could be used to sign programs, ActiveX controls, Office macros, and other executable content. Of these, signed ActiveX controls and Office macros would pose the greatest risk, because the attack scenarios involving them would be the most straightforward. Both ActiveX controls and Word documents can be delivered via either web pages or HTML mails. ActiveX controls can be automatically invoked via script, and Word documents can be automatically opened via script unless the user has applied the Office Document Open Confirmation Tool.

However, even though the certificates say they are owned by Microsoft, they are not bona fide Microsoft certificates, and content signed by them would not be trusted by default. Trust is defined on a certificate-by-certificate basis, rather than on the basis of the common name. As a result, a warning dialogue would be displayed before any of the signed content could be executed, even if the user had previously agreed to trust other certificates with the common name "Microsoft Corporation". The danger, of course, is that even a security-conscious user might agree to let the content execute, and might agree to always trust the bogus certificates.

Please view the full security bulletin at

We at Adiscon recommend taking this issue seriously. The fact that the certificate is issued from Verisign, Inc. might be even more confusing. Verisign is very well known and peoply might not get suspecious if the certificate is issued by Verisign.

Rainer Gerhards


Back to Non-Printer Version