Fraudulent Digital CertificateDTD: 23 March, 2001Subject: Fraudulent Microsoft Digital Certificates allow potential Spoofing Hazard Affected: Microsoft Windows versions 2000, 2000 SP1 Advanced Server Microsoft Windows versions 2000, 2000 SP1 Server Microsoft Windows versions 2000, 2000 SP1 Professional Microsoft Windows NT Server versions 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6a Microsoft Windows NT Server, Enterprise Edition versions 4.0, 4.0 SP4, 4.0 SP5, 4.0 SP6a Microsoft Windows NT Workstation versions 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6a Microsoft Windows NT Server versions 4.0, 4.0 SP4, 4.0 SP5, 4.0 SP6, Terminal Server Edition Microsoft Windows Millennium Edition Microsoft Windows 98 Second Edition Microsoft Windows 98 Microsoft Windows 95 Problem: VeriSign, Inc, has discovered through its routine fraud screening procedures that on 29 and 30 January 2001, it issued two digital certificates to an individual who fraudulently claimed to be a representative of Microsoft Corporation. Details: On 22 March, 2001, Microsoft Corp issued a Microsoft Security Bulletin MS01-017, concerning an incident in which Verisign Inc. erroneously issued two digital certificates identified as valid Microsoft certificates to an imposter claiming to be a Microsoft employee. These certificates can be used to digitally sign any program containing malicious code of any type under the name of "Microsoft Corporation" Verisign Inc. also posted a security alert on their web site concerning this incident at http://www.verisign.com/developer/notice/authenticode/. Digital certificates are used to provide "proof of origin" that the encrypted data originated with the authorized owner as well as Authenticity in "certifying" that the encrypted data has not been tampered. In this instance, neither of the above would be a valid assumption in dealing with these fraudulently obtained certificates. According to Microsoft: "Programs signed using these certificates would not be able to run automatically or bypass any normal security restrictions. However, the warning dialogue that appears before such programs could run would claim that they had been digitally signed by Microsoft. Clearly, this would be a significant aid in persuading a user to run the program." This issue is not a security problem with any Microsoft product nor does it indicate that any of Microsoft's official certificates have been compromised. Two NEW certificates were issued by Verisign Inc. that were incorrectly identified as being owned by Microsoft. However, this incident does present a very serious threat to Microsoft as well as Symantec customers who use Microsoft products. Both Verisign Inc. and Microsoft Corp. have aggressively addressed this issue and are ensuring appropriate measures are being taken to contain the possible impact of this incident and prevent future occurrences. Anyone using Microsoft software should ensure they read the above Microsoft Bulletin and follow the procedures and security precautions outlined therein. Risk Impact: High. Security Solution: Microsoft has posted administrative procedures to follow to mitigate the risks associated with these fraudulent certificates and is developing a soon-to-be-posted software patch that will check for the fraudulent certificates prior to download as well as checking a system to see if these fraudulent certificates have been previously accepted. Verisign has revoked the fraudulent certificates and posted an updated certificate revocation list at http://crl.verisign.com/Class3SoftwarePublishers.crl . All users of Microsoft products should take immediate steps to update systems with the Microsoft patch as soon as it is posted. Symantec Enterprise Solutions: Symantec Enterprise Solutions provides a total security solution (Reactive and Real-time) to defend against this latest threat. The Symantec Enterprise Security Manager (ESM) provides vulnerability assessment capabilities on machines that have executed one or both of the fraudulent certificates. Please download the templates in the esm/template directory: File: verisign.zip Symantec Security Response has also developed and posted definitions for Norton AntiVirus to detect and prevent the download of these certificates, as well as to scan the existing file system providing real-time protection. Definitions are available via the LiveUpdate feature or manual download from here. Industry Best Practices: Symantec recommends using the following best practices to protect against running malicious code in Microsoft Products: 1. Install the latest security patches and application updates on all operating systems and applications. 2. Set HTML emails to run in the Restricted Zone and ensure ActiveX and scripting are disabled 3. Upgrade to Microsoft Office 2000, which defaults to disallow running unsigned macros. 4. Educate users on the security risks inherent in downloading files from untrusted web sites and opening e-mail attachments from unknown sources. 5. Ensure appropriate security settings are in place depending on the access needs of the user. For further information on managing mobile code on Microsoft Systems, see "Managing Mobile Code with Microsoft Technologies", http://www.microsoft.com/TechNet/security/mblcode.asp Credits: Symantec Security Response would like to thank Verisign Inc. for their close cooperation in developing solutions to this issue. Copyright (c) 2008 by Symantec Corp. Disclaimer Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. |