Date: Thu Mar 22, 2001 5:01 pm
Subject: Fake Microsoft Signatures


http://www.microsoft.com/technet/security/bulletin/MS01-017.asp

From the Microsoft Security Bulletin: 'VeriSign, Inc., recently
advised Microsoft that on January 30 and 31, 2001, it issued two
VeriSign Class 3 code-signing digital certificates to an individual
who fraudulently claimed to be a Microsoft employee. The common name
assigned to both certificates is "Microsoft Corporation".' See the
bulletin for more information. Brings a whole new meaning to the
concept of 'Windows Update.' ;)" Most users probably ignore the name
on a certificate presented to them anyway, but even that minimal
protection is worthless if certificate authorities don't perform
their job.


Microsoft Security Bulletin (MS01-017)

Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard
Originally posted: March 22, 2001

Summary
Who should read this bulletin: All customers using Microsoft®
products.

Impact of vulnerability: Attacker could digitally sign code using the
name "Microsoft Corporation".

Recommendation: All customers should follow the administrative
procedures detailed in the FAQ. A software update will be issued
shortly to provide permanent remediation