Microsoft Warns Users After Security Breachgreenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread |
Microsoft Warns Users After Security BreachMarch 22, 2001 By KOMO Staff & News Services
REDMOND - Microsoft warned users Thursday that an unauthorized party had obtained digital certificates that would enable someone to falsely represent themselves as the software giant and deliver a computer virus to an unsuspecting recipient.
VeriSign Inc. of Mountain View, Calif., notified Microsoft that it issued two digital certificates on Jan. 29 and 30. Someone posing as a Microsoft employee was able to trick VeriSign into issuing the certificates, said Steve Lipner, manager of Microsoft's security response center.
Stamp Of Genuine
VeriSign's digital certificates - a key security feature of Microsoft's Internet software - are used by Microsoft to assure programs are genuine.
"We're very concerned that these certificates have been issued by VeriSign," Lipner said. "They replicate a mechanism that customers are used to trusting."
Mahi deSilva, VeriSign's vice president and general manager of applied trust services, said Thursday that the fraud was discovered almost immediately after the certificate was issued, during normal auditing VeriSign does after issuing digital certificates.
Microsoft and VeriSign were working to correct the problem, both companies said. Users were warned to inspect for certificates that were issued on Jan. 29 and 30, since no legitimate certificates were given on those dates, and to notify Microsoft or VeriSign if they discover them.
The FBI has also been notified, deSilva said.
'Extremely Huge Mistake
Microsoft also advised customers to set security levels to prevent viruses from being transmitted by e-mail in case the fraudulent program was opened.
The company hoped to have a program available in the next two weeks that would automatically check for the fake certificates, Lipner said. The program will be available to download for free off the Internet for products including Windows and Internet Explorer.
"This is certainly a big error that has occurred, and we're very concerned," Lipner said. "Our current focus is on figuring out how to protect the customers and working with VeriSign to make sure it doesn't happen again."
So far, VeriSign believes no one has used the certificates, deSilva said.
The problem is serious and effects could last years, said Russ Cooper of TruSecure Corp. and editor of the NTBugTraq mailing list.
"This is an extremely huge mistake by VeriSign," he said. "There's no way that this certificate should have been given to a non-Microsoft employee."
DeSilva said the person who got the certificates had a sophisticated knowledge of ways to try to fool VeriSign but still should have been caught by the company's normal techniques. He blamed "human error" and said the company's reputation shouldn't suffer "because we found this problem. We've been very proactive about communicating this problem to the various authorities. We think we've done everything we can to be ahead of the curve here."
http://www.komotv.com/news/story.asp?ID=9932
-- Martin Thompson (mthom1927@aol.com), March 22, 2001