March 22, 2001

Microsoft Security Bulletin (MS01-017) - Microsoft has just announced that an imposter has been issued software signing certificates with Microsoft Corporation's name. Let me give you the details in English:

1. When you are browsing the web, you may be asked if it is ok to run a program (installation or component) that has been signed by a company/individual.
2. This bogus certificate will allow the hacker to put up a component download (a program) on a web site (any web site they infiltrate) and the pop-up window will ask if you want to allow a program from Microsoft Corporation to be allowed to install or run.
3. The vast majority would normally trust components signed by Microsoft Corporation. This allows the hacker to pose as this company. The certificate will appear to be just as valid as Microsoft's valid certificate.

What should you do?
1. Don't automatically trust the certificates because they say they are from Microsoft Corporation. Check the dates in the certificate details screen. If they were issued on 1/29/2001 or 1/30/2001, they are the bogus ones.
2. Report any sightings to your Information System Security Officer.
3. When the patch comes out, update your system using Microsoft's Update site.

Be safe out there!

No comments: