Versign issues fake MS Certs
Greg Baker
phantomink at powersurfr.com
Fri, 23 Mar 2001 17:01:14 -0800
--------------6197F4245414937E0E26D8B4
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
If they make it for everyone else, why don't they use it on themselves.
Greg
Alan Ramsbottom wrote:
> Oops! -Alan-______________ http://www.microsoft.com/technet/security/bulletin/MS01-017.asp 'Issue:
>
> ======
> VeriSign, Inc., recently advised Microsoft that on January 30 and 31,
> 2001, it issued two VeriSign Class 3 code-signing digital
> certificates to an individual who fraudulently claimed to be a
> Microsoft employee. The common name assigned to both certificates is
> "Microsoft Corporation". The ability to sign executable content using
> keys that purport to belong to Microsoft would clearly be
> advantageous to an attacker who wished to convince users to allow the
> content to run........ VeriSign has revoked the certificates, and they
> are listed in
> VeriSign's current Certificate Revocation List (CRL). However,
> because VeriSign's code-signing certificates do not specify a CRL
> Distribution Point (CDP),......'
--------------6197F4245414937E0E26D8B4
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<body bgcolor="#FFFFFF">
If they make it for everyone else, why don't they use it on themselves.
<br>Greg
<p>Alan Ramsbottom wrote:
<blockquote TYPE=CITE><style></style>
<font size=-1>Oops!</font> <font size=-1>-Alan-</font><font size=-1>______________</font> <font size=-1><a href="http://www.microsoft.com/technet/security/bulletin/MS01-017.asp">http://www.microsoft.com/technet/security/bulletin/MS01-017.asp</a></font> <font size=-1>'</font><font size=+0>Issue:</font>
<br><font size=+0>======</font>
<br><font size=+0>VeriSign, Inc., recently advised Microsoft that on January
30 and 31,</font>
<br><font size=+0>2001, it issued two VeriSign Class 3 code-signing digital</font>
<br><font size=+0>certificates to an individual who fraudulently claimed
to be a</font>
<br><font size=+0>Microsoft employee. The common name assigned to both
certificates is</font>
<br><font size=+0>"Microsoft Corporation". The ability to sign executable
content using</font>
<br><font size=+0>keys that purport to belong to Microsoft would clearly
be</font>
<br><font size=+0>advantageous to an attacker who wished to convince users
to allow the</font>
<br><font size=+0>content to run.</font><font size=-1>.......</font> VeriSign
has revoked the certificates, and they are listed in
<br>VeriSign's current Certificate Revocation List (CRL). However,
<br>because VeriSign's code-signing certificates do not specify a CRL
<br>Distribution Point (CDP),......'</blockquote>
</body>
</html>
--------------6197F4245414937E0E26D8B4--