• PC World
• » Security

Microsoft is issuing a warning to all Windows users that two VeriSign digital certificates might falsely identify programs and patches as trusted Microsoft products.

This means that a program you download from a Web site might carry a certificate as Microsoft-approved and trustworthy, but it could contain a virus or Trojan horse that could damage your system.

VeriSign takes responsibility, saying it mistakenly issued the certificates to an individual posing as a Microsoft employee. The bogus certificates are dated January 29 and 30, which is currently the only way you can identify them, according to the Microsoft Security Bulletin posted Thursday.

Microsoft is working on a patch to protect its users, although it claims no one has yet used the certificates. The release could take awhile, because it needs to "run on every operating system we've issued in the last six years as well as ones we're working on now," says Scott Culp, program manager at Microsoft's security response center.

VeriSign alerted Microsoft of the error during an audit last week and revoked the certificates, Culp says.

Explaining Broken Trust

Part of public key cryptography, a digital signature allows you to implant a signature on data using a digital key, Culp says. "The signature proves two things: the origin and the authenticity of that piece of data," he says. In other words, the signature proves it came from the trusted sender and hasn't been tampered with on the way, he adds.

A digital certificate serves as a third-party verification of the identity of the person who digitally signed the data, Culp says. "You would need my digital certificate to verify my digital signature. The certificate is issued to me by a third-party ticket authority like VeriSign," he says.

"If you check the signature using that certificate key, it lets you know it was me who signed it and not someone else," he adds. Programs are often digitally signed and have certificates to reassure you when you download something from a Web site, Culp says.

Digital certificates don't let anything happen without your approval, Culp adds. "If you see that warning dialog, don't assume it's a slam dunk. Click on the link that says Microsoft, get a picture of that certificate, and see if it was issued on January 29 or 30. No real certificates were issued that day."

Also, make sure you have the latest Outlook e-mail security update, he adds.

Should someone try to use the certificates to launch a virus or Trojan horse, they'll either put the program on a Web site or send it via e-mail, Culp says. "Outlook e-mail security update will block that mail-based attack."

Security Holes Abound

Despite Microsoft's denial of responsibility, security expert William Knowles cites this incident as just the latest in a line of recent Microsoft security problems.

"A malicious third party could write a Trojan application that could take over your system," says Knowles, an analyst at the Internet security site C4I.org. And because it says it's from Microsoft, you're likely to go ahead and trust it, he adds.

"The big risk is when you're getting new code--like a Word update. It'll ask you, 'Do you trust this information as being from Microsoft?'" Knowles says.

And Microsoft wants to take on yet more of your personal information and assume greater security risk. Part of its .Net initiative, Microsoft's HailStorm will hold your personal information on the company's servers, Knowles says. That's coming from a company that can't even keep its operating system or network secure, he adds. "I'm finding less and less reason to trust Microsoft."

And despite the warning, he fears most people won't take the time to check on digital certificates before approving a program that claims to be from Microsoft, Knowles says. "If it says it's from Microsoft, it says it's from Microsoft. I'd trust a level 3 VeriSign certificate saying it's from Microsoft."

• See more like this:
• Microsoft,
• Security,
• VeriSign,
• digital certificate,
• Trojan