Beware of Content Signed by Microsoft Look Out for Fake Microsoft Digital Signatures Byron Alley
March 26th, 2001 - Using Internet Explorer to run active content on a web page requires a certain amount of trust. A reasonably paranoid web surfer will look at the digital signature to determine who the code belongs to, and decide based on that whether to allow the active content to run. It's obvious that Microsoft should be one of the most obvious companies to trust, since the user is already running a Microsoft operating system and web browser.
Unfortunately, the digital signature system isn't foolproof. One of the ways to get around the system is by finding a way to get the certifying authority to mistakenly issue a certificate for a trusted company to the wrong person. This is exactly what happened.
According to Microsoft, "on January 29 and 30, 2001, [Verisign] issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee." This enables the individual in question to falsely sign active content in Microsoft's name, taking advantage of the trust that users put in that name. The greatest risk posed by this security breach is that the digital certificates could be used to sign ActiveX controls or MS Office macros. In either case, a user could end up activating hostile code, whether on a web page or in an email.
Staying Safe The first step is to check the digital signatures for any active content. If they claim to be issued by Microsoft on January 29, 2001, or on January 30, 2001, then the code has been fraudulently signed and does not belong to Microsoft--do not trust it! Otherwise, proceed as usual.
Other measures to take include installing the Outlook update to prevent even signed code from being run, and installing the Office Document Open Confirmation Tool, which will ensure that Internet Explorer will give a prompt before displaying a Word document.
