Insecurity
Insecure software certificates are an issue far more serious than any virus attack. Viruses affect the unprepared. Breach of trust is worse. Last week VeriSign issued two software certifications to what it claimed was a Microsoft employee. When the software giant checked and found this untrue, the finger-pointing began as both issuer and (supposed) issuee had to develop a quick, lasting solution to the problem.
VeriSign is the de facto authenticator for the Internet. Its software certificates are all we, as end-users, need to differentiate between the real and malicious. Most shopping sites proudly boast their "VeriSign seal of approval. Some even invite you to click the logo for more information. But this "web of trust" could well become a relic of past, more trusting times.
On January 29 and 30, 2001, VeriSign issued two VeriSign Class III code-signing digital certificates to someone claiming to be a Microsoft employee. Both certificates bear the ID "Microsoft Corporation" and can be used to sign programs, ActiveX controls, Office macros and any executable content.
The affected certificates bear distinctive numbers "1B51 90F7 3724 399C 9254 CD42 4637 996A" and "750E 40FF 97F0 47ED F556 C708 4EB1 ABFD." Their validity periods are January 29, 2001 to January 30, 2002, and January 30, 2001 to January 31, 2002, respectively.
Signed ActiveX controls and Office macros pose the greatest risk since they can be delivered via Web pages, HTML mail or scripts. You may be safe if you have installed the Office Document Open Confirmation Tool (Office 2000 only).
The certificates have since been revoked by VeriSign. Microsoft has also developed a system update (all Windows platforms). Please install it immediately to self-protect you computer from the danger.
You can also make some configuration changes to your browser settings. These, and other, certificates take advantage of built-in calls within the Windows operating system. Its advisable to modify the Internet Explorer settings even if you use a third-party browser like Netscape (Navigator/Communicator), Gecko, Opera or NeoPlanet.
The best caution is to visually inspect any and all software authentication certificates. When downloading a signed software add-in or control, you are presented with a dialog box. Instead of trusting all content from Microsoft, or enabling the check box, click the More Information button. This will display the certificate details.
Select the details tab for information about the certificate. Check Serial Number to make sure it doesn't match the fraudulent ones. Only then approve the software. If you haven't done so yet, I also suggest that you install the Outlook Email Security Update. If you really fear that an uncaring user will inadvertently download and install male fide ware, you could consider removing the VeriSign Commercial Software Publishers CA certificate from the Trusted Root Store.
If you use Outlook Express or any other email client, you are bound to trust Windows' ability to sort right from wrong. I suggest that you also note down the untrustworthy certificate numbers on a post-it and attach it your monitor.
Govind
Menon
[email protected]
Other Articles
CareerCorner
| ChiefChat
| ProductGuide
| ProductReview
SiteScan
|
Techtalk
| VirusWatch
| Webware