My brother the computer geek sent this to me, so I thought I would pass it on as a passing interest thing. I suppose if you have checked the box "always trust content from Microsoft" it could cause some worry. William Robb ----- Original Message ----- From: "Jim" <[EMAIL PROTECTED]> To: "William Robb" <[EMAIL PROTECTED]> Sent: March 26, 2001 9:23 AM Subject: (Fwd) invalid Microsoft certificates > Cory Morhart works for us, so treat this as legit. > > Jim > > ------- Forwarded message follows ------- > From: "Cory Morhart" <[EMAIL PROTECTED]> > To: "Carla" <[EMAIL PROTECTED]>, "jim@FifthAvenue. CA" <[EMAIL PROTECTED]> > Subject: invalid Microsoft certificates > Date sent: Mon, 26 Mar 2001 09:06:06 -0600 > > 1) Alert: Fake Microsoft Security Certificates! > > OK, this is a bad one: > > VeriSign, Inc., recently advised Microsoft that on January 30 > and 31, 2001, it issued two VeriSign Class 3 code-signing > digital certificates to an individual who fraudulently claimed > to be a Microsoft employee. The common name assigned to both > certificates is "Microsoft Corporation...." However, even > though the certificates say they are owned by Microsoft, they > are not bona fide Microsoft certificates... The danger, of > course, is that even a security-conscious user might agree to > let the content execute, and might agree to always trust the > bogus certificates. > > In other words, a malicious hacker fooled VeriSign into thinking he or she > was from Microsoft; VeriSign then issued "Microsoft" digital certificates > to this individual. Those certificates would make it seem that the > hacker's code was from Microsoft, and might fool people into downloading > and running the code--- which could do almost anything to your system. > > Note that this is a VeriSign problem, not a Microsoft problem. VeriSign > has revoked the bogus certificates, but there's still a residual risk that > you could still end up being presented with the fake, and now- revoked, > certificates due to a weakness in the way the VeriSign Certificate > Revocation List works. > > To their credit, Microsoft is trying to develop a workaround that will > give users pseudo-access to the Certificate Revocation List, but because > this involves patching all Microsoft software that uses digital > certificates--- and that goes back to 1995 and includes all versions of > Win95, Win98, WinME, Win NT, and Win2000--- it's going to take a while. > > In the meantime: If you download software allegedly from Microsoft and see > a digital certificate dated the 29th or 30th of January 2001, reject it: > No bona fide Microsoft certificates were issued on these dates, so you > won't be missing anything legitimate. In fact, all you'll be missing is > bogus--- and probably hostile--- code. > > Lots more info: > http://www.microsoft.com/technet/security/bulletin/MS01-017.asp > > ------- End of forwarded message ------- > > --- > Fifth Avenue Collection Ltd. Moose Jaw, Canada > Phone: (306) 694-8188 Fax: (306) 694-0610 > www.FifthAvenue.CA > - This message is from the Pentax-Discuss Mail List. To unsubscribe, go to http://www.pdml.net and follow the directions. Don't forget to visit the Pentax Users' Gallery at http://pug.komkon.org .
