In fact, deSilva said during an interview, it was because VeriSign's process functioned properly that the company was able to discover the fraud. The person to whom VeriSign issued the certificates "was able to get through the screening process as a bona fide representative of Microsoft only because of human error," he said.
The certificates were erroneously issued in late January by Mountain View, Calif.-based VeriSign to an individual who claimed to be a Microsoft employee. The certificates "are of a type that can be used to digitally sign programs, including ActiveX controls and Office macros," thus appearing to make it look like the programs are bona fide Microsoft products, the advisory stated.
An attacker armed with the certificates could potentially host a malicious program on a Web site and then try to fool users into installing and running the software, Microsoft said. The attacker could also choose to package the malicious code as an ActiveX control, an Office document with macros or other executable content.
VeriSign has revoked the fraudulent certificates and included them in its Certification Revocation List. But Microsoft said the list can't be automatically downloaded by Web browsers, and that has forced the company to develop an operating system update with information about the revoked certificates. Microsoft said the operating system updates aren't available yet "because of the large number of platforms that must be tested."