In early March 2001, VeriSign, Inc. announced that it had issued two digital certificates to an individual who fraudulently claimed to be a Microsoft employee. This issue is discussed at length in Microsoft Security Bulletin
MS01-017
(http://www.microsoft.com/technet/security/bulletin/ms01-017.mspx)
. This article provides information that you can use to recognize these certificates.
For additional information about this issue, click the article number below
to view the article in the Microsoft Knowledge Base:
293818
(http://support.microsoft.com/kb/293818/EN-US/
)
Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard
For additional information about how to revoke these certificates' trusted status, click the article number below
to view the article in the Microsoft Knowledge Base:
293816
(http://support.microsoft.com/kb/293816/EN-US/
)
How to Determine Whether You Have Accepted Trust for Fraudulent VeriSign-Issued Certificates
For additional information about how to remove the VeriSign Commercial Software Publishers certification authority (CA) from the trusted store, click the article number below
to view the article in the Microsoft Knowledge Base:
293819
(http://support.microsoft.com/kb/293819/EN-US/
)
How to Remove a Root Certificate from the Trusted Root Store
For additional information about how to obtain a tool to revoke these fraudulent certificates, click the article number below
to view the article in the Microsoft Knowledge Base:
293811
(http://support.microsoft.com/kb/293811/EN-US/
)
Update Available to Revoke Fraudulent Microsoft Certificates Issued by VeriSign
These certificates are untrusted by default, even if you have previously chosen to trust content from Microsoft; therefore, you always receive a warning dialog box if you encounter these certificates. Click
Microsoft Corporation on this warning dialog box to identify these certificates. Microsoft recommends against running any content that is signed with these certificates.
Fraudulent Certificate 1
The first fraudulent certificate can be uniquely identified by the following properties on the
Details tab:
-
Serial Number: 750E 40FF 97F0 47ED F556 C708 4EB1 ABFD
-
Issuer: OU = VeriSign Commercial Software Publishers CA
O = VeriSign, Inc.
L = Internet
-
Thumbprint: 7D7F 4414 CCEF 168A DF6B F407 53B5 BECD 7837 5931
Fraudulent Certificate 2
The second fraudulent certificate can be uniquely identified by the following properties on the
Details tab:
-
Serial Number: 1B51 90F7 3724 399C 9254 CD42 4637 996A
-
Issuer: OU = VeriSign Commercial Software Publishers CA
O = VeriSign, Inc.
L = Internet
-
Thumbprint: 6371 62CC 59A3 A1E2 5956 FA5F A8F6 0D2E 1C52 EAC6
Complete Details of Fraudulent Certificates
For your reference, the complete details of these fraudulent certificates are provided in the following sections.
Fraudulent Certificate 1
The
General tab contains the following information:
Certificate Information
This certificate is intended for the following purpose(s):
- Ensures software came from software publisher
- Protects software from alteration after publication
* Refer to the certification authority's statement for details.
The
Details tab contains the following information:
Show: <All>
- Version
V3 - Serial number
750E 40FF 97F0 47ED F556 C708 4EB1 ABFD - Signature algorithm
md5RSA - Issuer
OU = VeriSign Commercial Software Publishers CA
O = VeriSign, Inc.
L = Internet
- Valid from
Tuesday, January 30, 2001 7:00:00 PM - Valid to
Thursday, January 31, 2002 6:59:59 PM - Subject
OU = Microsoft Corporation
CN = Microsoft Corporation
L = Redmond
S = Washington
C = US
OU = Digital ID Class 3 - Microsoft Software Validation v2
OU = www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)96
OU = VeriSign Commercial Software Publishers CA
O = VeriSign, Inc.
L = Internet
- Public key
3081 8902 8181 00EE FA1F C9B0 43DF 7E75 814E 3171 910B FC15 9DD9 4A8A 51F5 0918 C67C C5F1 27C4 0162 FCBF FC84 29A6 2FE6 1E02 060B 9689 D342 B173 9F02 AE75 6209 3F83 8034 4660 390A E321 4EE7 0442 D57E 5E98 4527 5D04 B927 32C0 65A4 9485 1325 DB16 F2FB 51C7 FF28 62D1 8331 4FA9 A4F4 C54F 9D00 2E14 3F95 169C 4E25 071B D57D 3871 D840 F8AA 7102 0301 0001
- Basic Constraints
Subject Type=End Entity
Path Length Constraint=None
- Key Usage
Digital Signature , Key Encipherment(A0) - Authority Key Identifier
KeyID=7B96 E4D1 43FD 6898 F338 CC6E 3BF2 0B82
Certificate Issuer:
OU=VeriSign Commercial Software Publishers CA
O="VeriSign, Inc."
L=Internet
Certificate SerialNumber=03C7 8F37 DB92 28DF 3CBB 1AAD 82FA 6710
- Basic Constraints
Subject Type=End Entity
Path Length Constraint=None - Certificate Policies
[1]Certificate Policy:
PolicyIdentifier=2.16.840.1.113733.1.7.1.8<BR/>
[1,1]Policy Qualifier Info:
Policy Qualifier Id=CPS<BR/>
Qualifier:<BR/>
https://www.verisign.com/rpa
- SpcFinancialCriteria
Financial Information=Available
Meets Criteria=Yes - Key Usage Restriction
[1]Cert PolicyId=1.3.6.1.4.1.311.2.1.22
Restricted Key Usage=Digital Signature(80) - SpcSpAgencyInfo
Policy Information:
URL=https://www.verisign.com/repository/CPS
Policy Display=This certificate incorporates by reference, and its use is strictly subject to, the VeriSign Certification Practice Statement (CPS)
version 1.0, available in the VeriSign repository at:
https://www.verisign.com; by E-mail at CPS-requests@verisign.com; or
by mail at VeriSign, Inc., 2593 Coast Ave., Mountain View, CA 94043
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARRANTIES DISCLAIMED AND LIABILITY LIMITED.
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND WILL NOT
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
THE CPS FOR DETAILS.
Contents of the VeriSign registered nonverifiedSubjectAttributes
extension value shall not be considered as accurate information
validated by the IA.
Policy Logo Link:
URL=https://www.verisign.com/repository/verisignlogo.gif
- Thumbprint algorithm
sha1 - Thumbprint
7D7F 4414 CCEF 168A DF6B F407 53B5 BECD 7837 5931
The
Certification Path tab contains the following information:
Certification path
VeriSign Commercial Software Publishers CA
Microsoft Corporation
Fraudulent Certificate 2
The
General tab contains the following information:
Certificate Information
This certificate is intended for the following purpose(s):
- Ensures software came from software publisher
- Protects software from alteration after publication
* Refer to the certification authority's statement for details.
The
Details tab contains the following information:
Show: <All>
- Version
V3 - Serial number
1B51 90F7 3724 399C 9254 CD42 4637 996A - Signature algorithm
md5RSA - Issuer
OU = VeriSign Commercial Software Publishers CA
O = VeriSign, Inc.
L = Internet
- Valid from
Monday, January 29, 2001 7:00:00 PM - Valid to
Wednesday, January 30, 2002 6:59:59 PM - Subject
OU = Software
CN = Microsoft Corporation
L = Washington
S = DC
C = US
OU = Digital ID Class 3 - Microsoft Software Validation v2
OU = www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)96
OU = VeriSign Commercial Software Publishers CA
O = VeriSign, Inc.
L = Internet
- Public key
3081 8902 8181 009E 30E5 9341 8E11 0767 BABD C9C6 110A AB5A 4CD6 6D0C ADFA B30E A019 1C54 7FC5 2E29 CE7E DADE EB28 D5AD 1AB0 CAD5 B2F1 9B83 E23E 448F E997 2693 B36D 390C 6967 50B9 1498 7DA4 C342 66E3 8CFC DADB 89EC 9C6B 54DD 481C C4DD 2055 B7EA 2557 B6CE FCEB E087 62A1 85A9 1FCF F2FB 2094 9BDA E53D D6B9 80E9 06AF 31A6 CD7E B3CF B490 5502 0301 0001
- Basic Constraints
Subject Type=End Entity
Path Length Constraint=None
- Key Usage
Digital Signature , Key Encipherment(A0) - Authority Key Identifier
KeyID=7B96 E4D1 43FD 6898 F338 CC6E 3BF2 0B82
Certificate Issuer:
OU=VeriSign Commercial Software Publishers CA
O="VeriSign, Inc."
L=Internet
Certificate SerialNumber=03C7 8F37 DB92 28DF 3CBB 1AAD 82FA 6710
- Basic Constraints
Subject Type=End Entity
Path Length Constraint=None - Certificate Policies
[1]Certificate Policy:
PolicyIdentifier=2.16.840.1.113733.1.7.1.8
[1,1]Policy Qualifier Info:
Policy Qualifier Id=CPS
Qualifier:
https://www.verisign.com/rpa
- SpcFinancialCriteria
Financial Information=Available
Meets Criteria=Yes - Key Usage Restriction
[1]Cert PolicyId=1.3.6.1.4.1.311.2.1.22
Restricted Key Usage=Digital Signature(80) - SpcSpAgencyInfo
Policy Information:
URL=https://www.verisign.com/repository/CPS
Policy Display=This certificate incorporates by reference, and its use is strictly subject to, the VeriSign Certification Practice Statement (CPS)
version 1.0, available in the VeriSign repository at:
https://www.verisign.com; by E-mail at CPS-requests@verisign.com; or
by mail at VeriSign, Inc., 2593 Coast Ave., Mountain View, CA 94043
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARRANTIES DISCLAIMED AND LIABILITY LIMITED.
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND WILL NOT
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
THE CPS FOR DETAILS.
Contents of the VeriSign registered nonverifiedSubjectAttributes
extension value shall not be considered as accurate information
validated by the IA.
Policy Logo Link:
URL=https://www.verisign.com/repository/verisignlogo.gif
- Thumbprint algorithm
sha1 - Thumbprint
6371 62CC 59A3 A1E2 5956 FA5F A8F6 0D2E 1C52 EAC6
The
Certification Path tab contains the following information:
Certification path
VeriSign Commercial Software Publishers CA
Microsoft Corporation
Back to the top
