search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Unauthentic "Microsoft Corporation" certificates issued by Verisign to an unidentifed person

Vulnerability Note VU#869360

Original Release Date: 2001-03-27 | Last Revised: 2001-03-31

Overview

On January 29 and 30, 2001, VeriSign, Inc. issued two certificates to an individual fraudulently claiming to be an employee of Microsoft Corporation. Any code signed by these certificates will appear to be legitimately signed by Microsoft when, in fact, it is not. Although users who try to run code signed with these certificates will generally be presented with a warning dialog, there will not be any obvious reason to believe that the certificate is not authentic.

Description

Microsoft released a security bulletin on March 22, 2001, describing two certificates issued by VeriSign to an individual fraudulently claiming to be an employee of Microsoft. The full text of Microsoft's security bulletin is available from their web site at


Additional information about this issue is also available from VeriSign's web site:

This issue presents a security risk because even a reasonably cautious user could be deceived into trusting the bogus certificates, since they appear to be from Microsoft. Once accepted, these certificates may allow an attacker to execute malicious code on the user's system.

This problem is the result of a failure by the certificate authority to correctly authenticate the recipient of a certificate. Verisign has taken the appropriate action by revoking the certificates in question. However, this in itself is insufficient to prevent the malicious use of these certificates until a patch has been installed, because Internet Explorer does not check for such revocations automatically. Indeed, because the Certificates issued by Verisign do not contain any information regarding where to check for a revocation, Internet Explorer, or any browser, is unable to check for revocations of these certificates. Microsoft is developing an update that will enable revocation checking and install a revocation handler that compensates for the lack of information in the certificate.

Impact

Anyone with the private portions of the certificates can sign code such that it appears to have originated from Microsoft Corporation. If the user approves the execution of code signed by one of the bogus certificates, it can take any action on the system with the privileges of the user who approved the execution. The fake certificates can only be used for Authenticode signing.

Solution

Apply a Patch from Your Vendor

Microsoft has released an update to correct this vulnerability. The patch is described in more detail in the Microsoft security bulletin at

Check "Microsoft Corporation" Certificates

You can identify the fake certificates by checking the validity dates and serial numbers of the certificates. When prompted to authorize the execution of code signed by "Microsoft Corporation", press the "More Info" button to obtain additional information about the certificate used to sign the code.

The fake certificates have the following description:

    Issued to: Microsoft Corporation
    Issued by: VeriSign Commercial Software Publishers CA
    Valid from 1/29/2001 to 1/30/2002
    Serial number is 1B51 90F7 3724 399C 9254 CD42 4637 996A

    Issued to: Microsoft Corporation
    Issued by: VeriSign Commercial Software Publishers CA
    Valid from 1/30/2001 to 1/31/2002
    Serial number is 750E 40FF 97F0 47ED F556 C708 4EB1 ABFD

No legitimate certificates were issued to Microsoft between January 29 and 30, 2001. Certificates with these initial validity dates or serial numbers should not be authorized to execute code.

The certificate revocation list for the fake certificates can be found at

Vendor Information

869360
Expand all

Microsoft

Notified:  March 22, 2001 Updated:  March 26, 2001

Status

  Vulnerable

Vendor Statement

Microsoft has published a security bulletin describing this issue at:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Netscape

Notified:  March 22, 2001 Updated:  March 26, 2001

Status

  Not Vulnerable

Vendor Statement

Netscape takes all security and privacy issues very seriously. The Netscape browser does not allow the execution of ActiveX controls, signed or unsigned, and therefore Netscape users are not vulnerable to exploits which rely on signed ActiveX. In the unlikely event that Netscape users are presented with signed content from Microsoft requesting enhanced privileges, Netscape users can protect themselves by denying permission to any such request.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This document was written by Cory F. Cohen.

Other Information

CVE IDs: None
CERT Advisory: CA-2001-04
Severity Metric: 6.70
Date Public: 2001-03-22
Date First Published: 2001-03-27
Date Last Updated: 2001-03-31 00:26 UTC
Document Revision: 9

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.