A Breach of Trust
|
March 22, 2001: When surfing the web or accepting documents from other persons, security is based largely on a matter of trust. If we don't know the person, we rightfully tend to be more suspicious. To help users determine what active content is valid and what is not, digitally signed certificates are used to verify the integrity of the content. Essentially, digital certificates provide proof of authenticity, proof of origin, and proof that the data has not been tampered with or modified. Now, even that is in question.
It appears that VeriSign, the foremost authority for digitally signed certificates, erroneously awarded two certificates to an unknown person masquerading as a Microsoft employee. These certificates could be used to digitally sign programs such as ActiveX controls and Word macros and both of these are capable of launching malicious code. While the programs cannot automatically run without the user accepting the certificate, the fact that the certificates are "signed" by Microsoft and "verified" by Verisign could cause even the most security conscious to allow them to run. The graphic above shows an example of what such a digital certificate looks like. Undoubtedly, most of us have encountered such certificates and. reassured by both the Microsoft and VeriSign names, clicked "Yes" without giving it a second thought. According to Microsoft, victims of the VeriSign oversight, users should check the certificate details before deciding whether to allow the content to run. The erroneously issued certificates bear the dates 1/30/2001 - 1/31/2002 and 1/29/2001 - 1/30/2002. A quick click on the More Info button will reveal the certificate dates, as shown in the example below.
If you've already accepted these certificates and thus made yourself vulnerable to the potential of malicious code attack, Microsoft will soon be publishing details of how to remove these certificates from your system. A security patch is also soon to be released, which will automatically render these ill-granted certificates from being granted permissions on your system.
While Microsoft is not at fault for this vulnerability, all Windows operating systems are at risk, including Microsoft Windows® 95
Microsoft Windows 98, Microsoft Windows Me, Microsoft Windows NT® 4.0 and Microsoft Windows 2000. Users of Outlook and Outlook Express should follow the instructions outlined in the Email Help Center to prevent ActiveX controls and scripts from executing within email. Additionally, download and install the Office Document Open Confirmation Tool to prevent Word documents from automatically loading via websites.
Microsoft Security Bulletin MS01-017 provides full details of this trust compromise and can be viewed at: http://www.microsoft.com/technet/security/bulletin/MS01-017.asp.
