March 29, 2001, 1:09 PM — Microsoft Corp. is developing updates for all versions of its Windows operating systems, from Windows 95 forward, for a digital certificate glitch that originated at security services vendor VeriSign Inc.
The companies warned last week that two digital certificates mistakenly issued in Microsoft's name could be used by malicious attackers to trick users into running unsafe programs. An advisory on Microsoft's Web site alerted users to any certificates issued on Jan. 29 or 30 and recommended some self-protection measures.
Digital certificates are used to prove the origin and authenticity of software programs and data on the Internet, a key requirement for users who are downloading patches or software updates. VeriSign and rival certificate authorities generate and digitally sign such certificates after first verifying the identity of the individual or organization that submitted the request.
"I don't like it," Josh Turiel, MIS manager at Holyoke Mutual Insurance Co. in Salem, Mass., said of the situation. His company has policies that prohibit any e-mail attachments from getting into the corporate network. And only network and systems administrators have the authority to install or download anything. But such measures may not be enough to protect against all the means of attack possible with the theft of these certificates, Turiel said.
"The obvious concern is that this makes it easier for someone to slip something through a weak link" that may have been overlooked until now, he said.
There's no telling what the holder of the two certificates might do with them, said Russ Cooper, an analyst at security consulting firm TruSecure Corp. in Reston, Va. But it's possible they could be used to sign a virtually unlimited amount of malicious code, he warned. "There's no mechanism to undo what has happened other than Microsoft spending money and time coming up with an update," he said.
The lapse raises serious questions about VeriSign's practices in issuing certificates, Cooper added. Class 3 certificates, the kind that were issued, are supposed to be issued only after the most stringent measures have been applied to ensure that the identity of the applicant is valid. "Obviously, that did not happen," he said. "Something broke down."
VeriSign's alert said the company is "taking active steps to augment technical controls and manual screening procedures around the vetting process of code-signing digital certificates." Mahi deSilva, a VeriSign vice president and general manager, blamed the snafu on human error and said the company's automated and manual processes for examining certificate applications and identifying the individuals who submit them had held up.