Hijacked Certificates Pose Potential Spoofing Problem

Microsoft became the victim of corporate identity theft when VeriSign issued two “Microsoft Corporation” code-signing certificates to an individual who fraudulently claimed to represent Microsoft. In essence, someone outside of Microsoft now has two certificates, dated Jan. 29 and Jan. 30, 2001, that they can use to make it appear that a virus or other destructive software was created by Microsoft. The risk is that users, seeing the certificate, will believe that the destructive software has been tested and is supported by Microsoft, and run it.

To date, no malicious content associated with these certificates has been detected. Nonetheless, the incident means that no one should accept any software download with a Microsoft Corporation certificate without determining that the certificate is in fact valid.

Isolating the Hijacked Certificates

The worst threat is that somebody will use the hijacked certificates to make a virus or other malicious code pose as a useful ActiveX control or Office macro being distributed by Microsoft. A warning dialog box is displayed the first time any code signed with a certificate is invoked, but most users do not read such dialog boxes carefully; once they see the words Microsoft Corporation, they typically accept the code and run it without question.