According to Microsoft, someone posing as a Microsoft employee tricked VeriSign, which hands out so-called digital signatures, into issuing the two certificates in the software giant's name on Jan. 30 and Jan. 31.
Such certificates are critical for businesses and consumers who download patches, updates and other pieces of software from the Internet, because they verify that the software is being supplied from a particular company, such as Microsoft.
In this case, a person using the VeriSign-issued certificates could post a virus on the Web that would appear to be from Microsoft but could actually be used to wipe out a person's hard drive, for example.
"Our main interest right now is to get the word out and let people know what they can do," said Steve Lipner, manager of Microsoft's Security Response Center. Microsoft first heard of the incident last week when VeriSign notified the Redmond, Wash.-based company. Lipner added that the FBI has been asked to investigate.
A Microsoft security bulletin issued Wednesday states that the vulnerability could affect "all customers using Microsoft products."
"The certificates could be used to sign programs, ActiveX controls, Office macros, and other executable content," states the bulletin. "Of these, ActiveX controls and Office macros would pose the greatest risk, because the attack scenarios involving them would be the most straightforward."
So far, there is no evidence that the certificates have been used, Lipner said.
Detecting "Class 3" certificates is fairly straightforward, he said.
When people double-click a Web link to install a program, a "Security Warning" dialog box pops up with details of the certificate used to sign the code. The dialog box will appear even on computers where the person had previously said to trust all Microsoft code.
People should click the hyperlinked "Microsoft Corporation" name to get more information on the certificate. If the "Valid from" field starts with either a Jan. 29, 2001, date or a Jan. 30, 2001, date, the certificate is fraudulent and the person should not download the software.
Microsoft has asked anyone finding such a certificate to contact it at firstname.lastname@example.org.
Read related article:
FAQ: Compromised MS certificates