SAN FRANCISCO: Security software maker VeriSign Inc. said on Thursday that an
individual posing as a Microsoft Corp. employee was able to obtain two digital
certificates - the online equivalents of signatures - that could potentially
allow him to send harmful or virus-ridden software to unsuspecting Internet
users.
VeriSign said it has seen no evidence that the certificates, which are used
to authenticate the identities of Internet users as well as Web site operators,
have been used, and has canceled them to help prevent their future use.
Microsoft will also issue a patch on its Web site by next week, which will
also detect the fake certificates and warn Internet users.
Internet users typically encounter certificates when they are downloading new
software upgrades or patches. A box pops up in their Web browser asking them if
they wish to trust content from this particular Web publisher, whose identity is
verified by the certificate the Web site sends to the user's Web browser.
An unscrupulous user could post a disguised virus or worm onto a Web site,
attaching the certificate to it, in order to fool an Internet user into
believing it is actually officially-sanctioned software from Microsoft, said
Mahi de Silva, vice president at VeriSign.
The certificates were falsely issued in late January, according to Mountain
View, Calif.-based VeriSign, due to an employee error that allowed the
individual or individuals to overcome the company's multi-step security
procedures and successfully apply for the certificates.
"The efficacy of our security system is not in question," said
Brian O'Shaughnessy, a VeriSign spokesman, who said the company has sold more
than 500,000 digital certificates without a problem.
VeriSign has turned over evidence to the Federal Bureau of Investigation,
which is now investigating the case. The people who stole the certificates face
possible criminal charges of fraud, said de Silva.
(C) Reuters Limited 2001.