Microsoft warns of imposter with digital certificates

The Associated Press
Friday March 23, 2001

SEATTLE — Microsoft warned users Thursday that an unauthorized party had obtained digital certificates that would enable someone to falsely represent themselves as the software giant and deliver a computer virus to an unsuspecting recipient. 

VeriSign Inc. of Mountain View, notified Microsoft that it issued two digital certificates on Jan. 29 and 30. Someone posing as a Microsoft employee was able to trick VeriSign into issuing the certificates, Microsoft said. 

VeriSign’s digital certificates – a key security feature of Microsoft’s Internet software – are used by Microsoft to assure the genuineness of programs. 

“The danger, of course, is that even a security-conscious user might agree to let the content execute and might agree to always trust bogus certificates,” the company said. 

Mahi deSilva, VeriSign’s vice president and general manager of applied trust services, said Thursday that the fraud was discovered almost immediately after the certificate was issued, in the course of normal auditing VeriSign does after issuing digital certificates. 

Microsoft and VeriSign were working to correct the problem, both companies said.  

Users were warned to inspect for certificates that were issued on Jan. 29 and 30, since no legitimate certificates were given on those dates, and to notify Microsoft or VeriSign if they discover them. 

The FBI has also been notified, deSilva said. 

Microsoft also advised customers to set security levels on their Internet browsers to request permission before opening downloaded documents. 

So far, VeriSign believes no one has used the certificates, deSilva said. 

The problem is serious and effects could last years, said Russ Cooper of TruSecure Corp. and editor of the NTBugTraq mailing list. 

“This is an extremely huge mistake by VeriSign,” he said. “There’s no way that this certificate should have been given to a non-Microsoft employee.” 

DeSilva, who blamed “human error” for the fraudulent certificates, said the company’s reputation shouldn’t suffer “because we found this problem. We’ve been very proactive about communicating this problem to the various authorities. We think we’ve done everything we can to be ahead of the curve here.” 

Investors didn’t agree, at least initially. Shares of VeriSign fell $1.94, or 6 percent, to $33.06 in after-hours trading after rising $2 to $35 during the regular trading session on the Nasdaq Stock Market. 

Shares of Microsoft were up 12.5 cents after closing at $54, up $3.94. 





On the Net: