• PC World
• »Security

Microsoft recently announced that someone tricked VeriSign, the company that issues digital certificates, into granting two certificates to a person claiming to be a Microsoft employee. That's a bit like allowing someone to steal a police officer's badge--it puts the thief in a position of trust that he or she can abuse.

When you download a program off the Web, its digital certificate guarantees that it comes from the company it says it comes from. Using the stolen certificates, though, a cracker could send you a Trojan horse, a virus, or another nasty piece of code that presents itself as an officially approved Microsoft program.

Microsoft has released a security update to address the problem, and offers a link to the 128KB fix (along with a FAQ section discussing the security breach and related issues).

For Norton AntiVirus users, Symantec says that any virus definitions dated March 23, 2001, or later will detect the two stolen certificates. Similarly, McAfee users are protected with virus definition files dated March 24, 2001, or later.

Hole in Outlook, Outlook Express

Outlook 98, Outlook 2000, and Outlook Express 5.x have a security hole in their VCard capabilities. A VCard stores your business card information in an electronic format. In addition, it permits you to send your contact information to other users as an attachment that they can load into their Outlook and Outlook Express contacts databases--no typing required.

Though it's handy, the VCard technology has a bug that enables a malicious hacker to create a VCard that could crash the user's e-mail program or, worst case, let the attacker take over the user's computer. In this last instance, the bad guy could do anything the user had privileges to do, including reformat the hard drive.

The specific element responsible for this flaw ships as part of Outlook Express and is shared by Outlook. Since IE installs Outlook Express by default, identifying the correct patch for your PC depends on the version of IE you use, not on the version of Outlook you have, according to Microsoft. (To find out which version of IE runs on your system, from within IE select Help, About Internet Explorer.) The attack takes advantage of a buffer overflow error to flood the program with data. Envision a stoppered sink with the water left on. By sending the VCard feature too much info, the hacker can overwhelm Outlook or Outlook Express.

The patch turns off the flow by truncating the length of the character stream that the rigged VCard is trying to pour into the program.