Two digital certificates have been mistakenly issued in Microsoft's name that could be used by virus writers to fool people into running harmful programs.
According to Microsoft, someone posing as a Microsoft employee tricked VeriSign, which hands out so-called digital signatures, into issuing the two certificates in the software giant's name on January 30 and January 31.
Such certificates are critical for businesses and consumers who download patches, updates and other pieces of software from the Internet, because they verify that the software is being supplied from a particular company, such as Microsoft.
In this case, a person using the VeriSign-issued certificates could post a virus on the Web that would appear to be from Microsoft but could actually be used to wipe out a person's hard drive, for example.
"Our main interest right now is to get the word out and let people know what they can do," said Steve Lipner, manager of Microsoft's Security Response Centre. Microsoft first heard of the incident last week when VeriSign notified the company. Lipner added that the FBI has been asked to investigate.
A Microsoft security bulletin states that the vulnerability could affect "all customers using Microsoft products."
"The certificates could be used to sign programs, ActiveX controls, Office macros, and other executable content," states the bulletin. "Of these, ActiveX controls and Office macros would pose the greatest risk, because the attack scenarios involving them would be the most straightforward."
So far, there is no evidence that the certificates have been used, Lipner said.
"We screwed up in issuing the certificate," said Mahi de Silva, vice president and general manager of applied services at VeriSign.
"However, our second-stage fraud protection caught that mistake. We are not trying to shift the blame," he said.
It's the first time VeriSign has falsely issued such codes, de Silva added, noting that the company has handed out more than 500,000 certificates.
Microsoft said it intends to release an update next week that will automatically detect the signatures and warn users that they are invalid.
Roger Thompson, technical director of malicious code research for security services company TruSecure, said the threat posed by the certificates depends on who has access to them.
"If it was someone with a purpose in mind, then six weeks is a long time to do something," he said. If the attacker wanted to compromise a company or a government agency by creating forged Microsoft-signed certificates, the damage may already be done.
"If the job was to install a sniffer, then there could be a zillion backdoors as a result of it," Thompson said. A sniffer allows an intruder to grab everything typed by a person on a computer, including passwords, and usually leads to a total compromise of security.
Microsoft has asked anyone finding such a certificate to contact it at www.secure@microsoft.com.
