Microsoft today said it has completed a promised software update for all of its Windows operating system releases dating back to 1995 as part of an effort to combat a pair of fraudulent digital certificates that were mistakenly issued by VeriSign Inc.
Microsoft also plans to send e-mail messages announcing the availability of the update to more than 130,000 users who subscribe to its security mailing list. The update, which can be downloaded from Microsoft's Web site, is meant to protect Windows users from security threats posed by the invalid digital certificates issued to an imposter claiming to be a Microsoft employee.
The problem first came to light last week, when both Microsoft and VeriSign posted warnings about the fraudulent certificates. Microsoft yesterday issued a new version of its advisory with detailed information about the software update.
Digital certificates are used to prove the origin and authenticity of software programs and data on the Internet, a key requirement for users who are downloading patches or software updates. VeriSign and other certificate issuers generate and digitally sign such certificates after first verifying the identity of the individual or organization that submitted the request.
But in this case, the two certificates issued by VeriSign in late January incorrectly list Microsoft as the owner. The danger, according to Microsoft, is that the fraudulent certificates "are of a type that can be used to digitally sign programs, including ActiveX controls and Office macros" -- a capability that a malicious attacker could use to try to trick users into thinking that unsafe software programs are bona fide Microsoft products.
"Because of the risk this issue poses, Microsoft has taken the unusual step of producing an update for every Windows operating system produced since 1995, regardless of whether it's normally supported or not," the software vendor said in the updated advisory. Users of all releases ranging from Windows 95 to the beta-test version of the upcoming Windows XP should install the update, Microsoft added.
The update should help ensure that software code "signed" by the two fraudulent certificates is recognized as invalid by users, the company said. After installing the update, users who try to install a program that has been authenticated by either certificate should see a warning dialogue that says the certificate has been revoked.
It would still be possible for users to override the warning and run the program, but Microsoft said it would "strongly recommend" against doing so. "The fact that a certificate has been revoked by its issuer speaks volumes about its untrustworthiness," the company added.
Microsoft noted that users may have to reapply the update if they upgrade existing versions of Windows or its Internet Explorer browser. Those releases reset some system parameters when they're installed, which could disable the update. But the company said that won't be the case with future versions such as Windows XP, Windows 2000 and IE 6.
Users who don't want to install the update for some reason should continue to take several other protective steps that were outlined in the original advisory, Microsoft said. It also asked any users who have encountered programs signed by the fraudulent certificates to send an e-mail message to its security response team at firstname.lastname@example.org.
Microsoft and VeriSign have called in the FBI to investigate the incident, but the identity of the person who was able to obtain the certificates in Microsoft's name remains unknown. Officials at VeriSign, which is the largest issuer of digital certificates, have blamed the January snafu on human error.