Original release date: March 22, 2001<BR>
Last revised: March 30, 2001<BR>

Source: CERT/CC<BR>

<P>A complete revision history can be found at the end of this file.

<A NAME="affected"></a>
<H3>Systems Affected</H3>

Systems whose users run code signed by Microsoft Corporation.

<A NAME="overview"></a>
<H2>Overview</H2> 

<P>On January 29 and 30, 2001, VeriSign, Inc. issued two certificates
to an individual fraudulently claiming to be an employee of Microsoft
Corporation.  Any code signed by these certificates will appear to be
legitimately signed by Microsoft when, in fact, it is not.  Although
users who try to run code signed with these certificates will
generally be presented with a warning dialog, there will not be any
obvious reason to believe that the certificate is not authentic.
</P>

<A NAME="description"></a>
<H2>I. Description</H2>

<P>Microsoft released a security bulletin on March 22, 2001,
describing two certificates issued by VeriSign to an individual
fraudulently claiming to be an employee of Microsoft.  The full text
of Microsoft's security bulletin is available from their web site at

<DL><DD>
<A HREF="http://www.microsoft.com/technet/security/bulletin/MS01-017.asp">
http://www.microsoft.com/technet/security/bulletin/MS01-017.asp</A>
</DL>

<P>Additional information about this issue is also available from
VeriSign's web site:

<DL><DD>
<A HREF="http://www.verisign.com/developer/notice/authenticode/index.html">
http://www.verisign.com/developer/notice/authenticode/index.html</A>
</DL>

<P>This issue presents a security risk because even a reasonably
cautious user could be deceived into trusting the bogus certificates,
since they appear to be from Microsoft.  Once accepted, these
certificates may allow an attacker to execute malicious code on the
user's system.

<P>This problem is the result of a failure by the certificate
authority to correctly authenticate the recipient of a certificate.
Verisign has taken the appropriate action by revoking the certificates
in question.  However, this in itself is insufficient to prevent the
malicious use of these certificates until a patch has been installed,
because Internet Explorer does not check for such revocations
automatically. Indeed, because the Certificates issued by Verisign do
not contain any information regarding where to check for a revocation,
Internet Explorer, or any browser, is unable to check for revocations
of these certificates.  Microsoft is developing an update that will
enable revocation checking and install a revocation handler that
compensates for the lack of information in the certificate.

<A NAME="impact"></a>
<H2>II. Impact</H2>

<P>Anyone with the private portions of the certificates can sign code
such that it appears to have originated from Microsoft Corporation.
If the user approves the execution of code signed by one of the bogus
certificates, it can take any action on the system with the privileges
of the user who approved the execution.  The fake certificates can
only be used for Authenticode signing.

<A NAME="solution"></a>
<H2>III. Solution</H2>

<H3>Apply a Patch from Your Vendor</H3>

<P>Microsoft has released an update to correct this vulnerability.
The patch is described in more detail in the Microsoft security
bulletin at

<DL><DD>
<A HREF="http://www.microsoft.com/technet/security/bulletin/MS01-017.asp">
http://www.microsoft.com/technet/security/bulletin/MS01-017.asp</A>
</DL>

<H3>Check "Microsoft Corporation" Certificates</H3>

<P>You can identify the fake certificates by checking the validity
dates and serial numbers of the certificates.  When prompted to
authorize the execution of code signed by "Microsoft Corporation",
press the "More Info" button to obtain additional information about
the certificate used to sign the code.

<P>The fake certificates have the following description:

<DL><DD>
Issued to: Microsoft Corporation<BR>
Issued by: VeriSign Commercial Software Publishers CA<BR>
Valid from 1/29/2001 to 1/30/2002<BR>
Serial number is 1B51 90F7 3724 399C 9254 CD42 4637 996A<BR>
<BR>
<BR>
Issued to: Microsoft Corporation<BR>
Issued by: VeriSign Commercial Software Publishers CA<BR>
Valid from 1/30/2001 to 1/31/2002<BR>
Serial number is 750E 40FF 97F0 47ED F556 C708 4EB1 ABFD<BR>
</DL>

<P>No legitimate certificates were issued to Microsoft between January
29 and 30, 2001.  Certificates with these initial validity dates or
serial numbers should not be authorized to execute code.  

<P>The certificate revocation list for the fake certificates can be
found at

<DL><DD>
<A HREF="http://crl.verisign.com/Class3SoftwarePublishers.crl">
http://crl.verisign.com/Class3SoftwarePublishers.crl</A>
</DL>

<A NAME="vendors"></a>
<H2>Appendix A. - Vendor Information</H2>

<H3>Microsoft Corporation</H3>

<P>Microsoft has published a security bulletin describing this issue
at

<DL><DD>
<A HREF="http://www.microsoft.com/technet/security/bulletin/MS01-017.asp">
http://www.microsoft.com/technet/security/bulletin/MS01-017.asp</A>
</DL>

<H3>Netscape</H3>

<P>Netscape takes all security and privacy issues very seriously. The
Netscape browser does not allow the execution of ActiveX controls,
signed or unsigned, and therefore Netscape users are not vulnerable to
exploits which rely on signed ActiveX. In the unlikely event that
Netscape users are presented with signed content from Microsoft
requesting enhanced privileges, Netscape users can protect themselves
by denying permission to any such request.

<P></P>

<!--#include virtual="/include/footer_nocopyright.html" -->

<P>Copyright 2001 Carnegie Mellon University.</P>

<P>Revision History
<PRE>
March 22, 2001: Initial release 
March 25, 2001: Clarified that IE, or any browser, is unable to check for revocations of certificates that don't contain CDP information.
March 27, 2001: Added a sentence about Microsoft's update.
March 30, 2001: Added information about the software update from Microsoft.
</PRE>