VERSIONS AFFECTED
- All executable Microsoft products
DESCRIPTION
On January 30 and 31, 2001, VeriSign erroneously
issued two Class 3 code-signing certificates to someone claiming to be a
Microsoft employee. These certificates enable signing of macros, programs,
ActiveX controls, and executable content. By default, Microsoft OSs don't trust
the content signed by these two certificates, even though the certificates
appear to come from Microsoft. VeriSign has revoked the certificates, and they
are listed in VeriSign’s Certificate Revocation List (CRL), but because the
certificates don't list a CRL Distribution Point (CDP), it isn't possible for
the browser to download this CRL for use. A warning dialog box will still be
present before the signed content executes, even if “Microsoft Corporation”
is listed as trusted.
VENDOR RESPONSE
Microsoft has issued security bulletin MS01-017 to address this vulnerability. The company has also released patches for Windows XP Beta 2, Windows 2000, Windows NT, Windows Millennium Edition (Me), Windows 98, and Windows 95. Users can download the patches from Microsoft's Web site. Also, be sure to read Microsoft's security bulletin to review the caveats to these patches.
Users who don't want to install the patches can remove the VeriSign Commercial Software Publishers CA certificate from the Trusted Root Store, as discussed in Microsoft article Q293819, and install the Outlook Email Security Update. Microsoft has also recommended using a utility called Office Document Open Confirmation Tool to decrease the level of risk this vulnerability presents. Microsoft article Q293817 provides further information about the false certificates.
Discovered by Microsoft
