My reading of this is that a hacker managed to human-engineer Verisign into signing a public key used for codesigning. While the key is signed as being Microsofts, it is in fact the hackers. He can therefore sign his own ActiveX components and make them appear come from Microsoft. Trojan horses, anyone? Verisign should be getting a lot of flack on this one - they're who business model relys on being a trustworthy confirmer of identies. Peter Trei --------------------------------------- http://www.msnbc.com/news/548228.asp Microsoft digital certificate stolen Verisign issued "virtual notary seal" to computer criminal By Bob Sullivan MSNBC March 22 Microsoft Corp. issued a warning today to all its customers that a computer criminal has obtained a digital certificate with the company's name and authority. The equivalent of a royal seal, digital certificates prove software code was written by a particular company and is safe. Microsoft said the criminal tricked Verisign Inc. into issuing two of the certificates. The software giant is warning users to be suspicious of any program that arrives with a certificate claiming Microsoft's authority. MICROSOFT'S SCOTT CULP said Verisign issued the two fake certificates accidentally on Jan. 29 and Jan. 30, and discovered the mistake only recently. (MSNBC is a Microsoft-NBC joint venture.) Web browsers generally encounter such certificates when the arrive on a Web site that has an ActiveX control, which allows dynamic content. Usually, a dialog box pops up asking the users if they would like to trust the code and allow it to run on the their machines. The fraudulent certificates would indicate to a user that the code was written by Microsoft and might trick a victim into allowing the code to run. "That's exactly one of the scenarios that pose the greatest risk," Culp said. The firm is working on a downloadable solution for the problem, but it won't be ready for about a week, Culp said. In the meantime, he urged Web users to be suspicious of any digital certificate they encounter, suggesting they check the certificate's details. "Anything that says it was issued on 29th and 30th of January is bogus. Do not trust it," Culp said. HUMAN ERROR? Culp blamed the problem on human error inside Verisign. He said law enforcement is now working with the company to track the criminal, who apparently was able to convince Verisign he was a Microsoft employee. "This wasn't a failure of technology. It was a failure of one particular Certificate authority to follow its procedures," he said. Digital certificates are issued by third parties, called certificate authorities, as a way of virtually "notarizing" computer code. There are hundreds of authorities, but Verisign is one of the largest. Each authority is supposed to follow detailed procedures to verify the identity of the programmer making a certificate request. Verisign did not immediately return phone calls.