Erroneous VeriSign-Issued Digital Certificates

Reported March 22, 2001, by Microsoft.


  • All executable Microsoft products


On January 30 and 31, 2001, VeriSign erroneously issued two Class 3 code-signing certificates to someone claiming to be a Microsoft employee. These certificates enable signing of macros, programs, ActiveX controls, and executable content. By default, Microsoft OSs don't trust the content signed by these two certificates, even though the certificates appear to come from Microsoft. VeriSign has revoked the certificates, and they are listed in VeriSign’s Certificate Revocation List (CRL), but because the certificates don't list a CRL Distribution Point (CDP), it isn't possible for the browser to download this CRL for use. A warning dialog box will still be present before the signed content executes, even if “Microsoft Corporation” is listed as trusted.


Microsoft has issued security bulletin MS01-017 to address this vulnerability. The company has also released patches for Windows XP Beta 2, Windows 2000, Windows NT, Windows Millennium Edition (Me), Windows 98, and Windows 95. Users can download the patches from Microsoft's Web site. Also, be sure to read Microsoft's security bulletin to review the caveats to these patches.

Users who don't want to install the patches can remove the VeriSign Commercial Software Publishers CA certificate from the Trusted Root Store, as discussed in Microsoft article Q293819, and install the Outlook Email Security Update. Microsoft has also recommended using a utility called Office Document Open Confirmation Tool to decrease the level of risk this vulnerability presents. Microsoft article Q293817 provides further information about the false certificates.

Discovered by Microsoft
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.