Microsoft updates Windows to combat VeriSign glitch

Computerworld - Microsoft Corp. today said it has completed a promised software update for all of its Windows operating system releases dating back to 1995 as part of an effort to combat a pair of fraudulent digital certificates that were mistakenly issued by VeriSign Inc.

Microsoft also plans to send e-mail messages announcing the availability of the update to more than 130,000 users who subscribe to its security mailing list. The update, which can be downloaded from Microsoft's Web site, is meant to protect Windows users from security threats posed by the invalid digital certificates issued to an imposter claiming to be a Microsoft employee.

The problem first came to light last week, when both Microsoft and Mountain View, Calif.-based VeriSign posted warnings about the fraudulent certificates (see story). Microsoft yesterday issued a new version of its advisory with detailed information about the software update.

Digital certificates are used to prove the origin and authenticity of software programs and data on the Internet, a key requirement for users who are downloading patches or software updates. VeriSign and other certificate issuers generate and digitally sign such certificates after first verifying the identity of the individual or organization that submitted the request.

But in this case, the two certificates issued by VeriSign in late January incorrectly list Microsoft as the owner. The danger, according to Microsoft, is that the fraudulent certificates "are of a type that can be used to digitally sign programs, including ActiveX controls and Office macros" -- a capability that a malicious attacker could use to try to trick users into thinking that unsafe software programs are bona fide Microsoft products.

"Because of the risk this issue poses, Microsoft has taken the unusual step of producing an update for every Windows operating system produced since 1995, regardless of whether it's normally supported or not," the software vendor said in the updated advisory. Users of all releases ranging from Windows 95 to the beta-test version of the upcoming Windows XP should install the update, Microsoft added.

The update should help ensure that software code "signed" by the two fraudulent certificates is recognized as invalid by users, the company said. After installing the update, users who try to install a program that has been authenticated by either certificate should see a warning dialogue that says the certificate has been revoked.

It would still be possible for users to override the warning and run the program, but Microsoft said it would "strongly recommend" against doing so. "The fact that a certificate has been revoked