How to Determine Whether You Have Accepted Trust for Fraudulent VeriSign-Issued Certificates (293816)

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

In early March 2001, VeriSign, Inc., announced that it had issued two digital certificates to an individual who fraudulently claimed to be a Microsoft employee. This issue is discussed at length in Microsoft Security Bulletin MS01-017. This article describes how to determine if you have enabled the trust for these certificates and how to remove that trust.

For additional information about this issue, click the article number below to view the article in the Microsoft Knowledge Base:

293818 Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard

For additional information about how to recognize these fraudulent certificates, click the article number below to view the article in the Microsoft Knowledge Base:

293817 How to Recognize Erroneously-Issued VeriSign Code-Signing Certificates

For additional information about how to remove VeriSign Commercial Software Publishers CA from the trusted store, click the article number below to view the article in the Microsoft Knowledge Base:

293819 How to Remove a Root Certificate from the Trusted Root Store

For additional information about how to obtain a tool to revoke these fraudulent certificates, click the article number below to view the article in the Microsoft Knowledge Base:

293811 Update Available to Revoke Fraudulent Microsoft Certificates Issued by VeriSign

MORE INFORMATION

When you click Always trust content from Microsoft Corporation in the warning dialog box that appears when you encounter these certificates, "Microsoft Corporation" is added to the list of trusted publishers. To remove this explicit trust:

Microsoft Internet Explorer 5, 5.01, 5.5

On the Tools menu in Internet Explorer, click Internet Options.
On the Content tab, click Publishers.
Click Microsoft Corporation, click Remove, and then click OK.

NOTE: If "Microsoft Corporation" appears multiple times, there is no way to determine which one to remove; therefore, you must edit the registry by using the steps in the "Editing the Registry" section.
Click OK.

Internet Explorer 4.x

On the View menu in Internet Explorer, click Options.
On the Content tab, click Publishers.
Click Microsoft Corporation, click Delete, and then click OK.

NOTE: If "Microsoft Corporation" appears multiple times, there is no way to determine which one to remove; therefore, you must edit the registry by using the steps in the "Editing the Registry" section.
Click OK.

Editing the Registry

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

If "Microsoft Corporation" appears multiple times, use these steps to remove these fraudulent certificates:

Start Registry Editor (Regedit.exe).
Determine whether the following key in the registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0
contains one or more of the following values:
- bhhphijojgfcdocagmhjgjbhmieinfap pnkllbeoaimhfgpfonehpajhppeaaohf
- bhhphijojgfcdocagmhjgjbhmieinfap gkjjdhegecmnfejcjmdjcedhphjafbbl
If these values exist, delete them by clicking the value and then clicking Delete on the Edit menu.
Quit Registry Editor.