Microsoft vexed by falsified certs
Kevin Poulsen, SecurityFocus 2001-03-22

Scam artist duped VeriSign into issuing digital certificates under software-maker's name.

Microsoft is scrambling to revoke two digital certificates that were issued last January by California-based VeriSign to a scam artist posing as a Microsoft employee.

Digital certificates are used to electronically sign computer programs and patches so that end users can be assured that the code came from a particular person or company, and was not subject to tampering in transit. The technology relies on trusted third-party "certificate authorities" who issue the certificates and vouch for their authenticity to users.

In January, someone posing as a Microsoft employee persuaded VeriSign, the largest U.S. certificate authority, to issue two certificates under Microsoft's name.

"They came to our web site, they signed on as a Microsoft employee... and provided enough correlatable information that led us to believe that it was a bona fide order," says Mahi deSilva, VP of applied trust service at VeriSign.

VeriSign has procedures in place to prevent such chicanery, deSilva said, but on this occasion a company employee failed to properly verify the order. "It was our failure, and it was human error."

Law enforcement is investigating.

Microsoft warned that the culprit could use the certificates to trick users into running malicious code, signing Trojan horses and viruses with Microsoft's name, then planting them on web sites or sending them in email. Users would still have to click 'yes' in a dialog box before the code would execute.

"The certificates could be used to digitally sign programs, Active-X controls, Office macros, and other executable content," a company spokesman said Thursday. "Once we were informed of the error by VeriSign last week, we immediately began taking steps to protect our customers."

Microsoft plans to distribute software to revoke the fraudulent certificates. In the meantime, the company encourages users to keep their eyes open for certificates dated January 29th or 30th. No legitimate Microsoft certificates were issued with those dates.

Information is also available from VeriSign.

According to a source familiar with the incident, the hacker used a stolen credit card number to obtain the certificates--a detail deSilva would neither confirm nor deny.

"We've been asked not to talk about the specifics. But there is an active investigation with the bank associated with that card, around the usage of that card."