Beware rogue certificates, says Microsoft

Microsoft has warned that infrastructure security provider VeriSign was duped into handing over digital certificates to an internet fraudster, who may use them to trick users into running harmful programs on their systems.

The software giant said the certificates could be used by the fraudster to post on the internet programs appearing to be certified by Microsoft, and that these programs may contain malicious code.

Microsoft has issued a security bulletin about the security breach, which can be viewed here.

The bulletin confirms that all versions of Windows are affected and warns users to be on their guard. The breach has been given a "serious risk" rating and the company has called in the FBI to investigate.

VeriSign said it signed off the certificates on 29 and 30 January this year to someone claiming to be a Microsoft employee. The company claims it was duped because the request was made through a secure online form, which asked for employment information, a corporate contact and a billing contact, but admitted that "normal procedure had not been followed".

VeriSign has since revoked the bogus certificates but has warned users to check the dates on the security certificates that appear in a pop-up box before installation of a program. Do not install anything that says something along the lines of: "Do you want to install this program, certified by Microsoft on 29 [or 30] January 2001?"

The main danger here is that the certification appears to have been given by Microsoft, so even a security-conscious user may install such software because it would appear to be from a reliable source.

Although the breach was only discovered through a routine security check, VeriSign did highlight the fact that 500,000 genuine certificates have been issued by the company and these two are the only fraudulent exceptions.