The announcement highlighted a key vulnerability in the way programs and small pieces of computer code are currently passed around the internet.

Microsoft said someone contacted VeriSign, a leading issuer of digital certificates, at the end of January pretending to be a Microsoft employee. The caller then persuaded VeriSign to hand over two certificates in the name of Microsoft Corporation.

Microsoft and other corporations typically attach certificates to their software to assure users that the program came from an official source. Conceivably, users could be tricked into downloading programs that would steal vital data or wipe their computer’s entire hard drive.

Users can manually inspect certificates before they download a piece of software or they can set up filters on their computer systems that only accept downloads with a proper certificate. But Microsoft said even security-minded users might be persuaded to download a malicious code if they saw it stamped with the Microsoft name.

Microsoft engineers are currently working on a patch that will allow its software to block the bogus certificates. It advised users to check certificates that would pop up in a dialogue box when they downloaded software and stay away from any that claimed to come from Microsoft marked January 30 or 31.

A Microsoft spokesman said he could not comment on whether it would be asking VeriSign for any compensation following the breach. “It hasn’t been an issue,” he said. “We’ve been too busy working out a solution for our customers.”

Microsoft has issued a security bulletin on the problem.