Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: al200104.txt

Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard




-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                        AL-2001.04  --  AUSCERT ALERT
                    Microsoft Security Bulletin MS01-017
    Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard
                                23 March 2001

===========================================================================

        AusCERT Alert Summary
        ---------------------------------

Impact:                 Reduced Security
                        Provide Misleading Information
Access Required:        Remote

Summary:

AusCERT is issuing this external security bulletin as an AusCERT Alert
to emphasize the significance of vulnerabilities listed.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

- - ----------------------------------------------------------------------
Title:      Erroneous VeriSign-Issued Digital Certificates Pose 
            Spoofing Hazard
Date:       22 March 2001
Software:   All Microsoft customers should read the bulletin.
Impact:     Attacker could digitally sign code using the name 
            "Microsoft Corporation". 
Bulletin:   MS01-017

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-017.asp.
- - ----------------------------------------------------------------------

Issue:
======
VeriSign, Inc., recently advised Microsoft that on January 30 and 31,
2001, it issued two VeriSign Class 3 code-signing digital
certificates to an individual who fraudulently claimed to be a
Microsoft employee. The common name assigned to both certificates is
"Microsoft Corporation". The ability to sign executable content using
keys that purport to belong to Microsoft would clearly be
advantageous to an attacker who wished to convince users to allow the
content to run. 
The certificates could be used to sign programs, ActiveX controls,
Office macros, and other executable content. Of these, signed ActiveX
controls and Office macros would pose the greatest risk, because the
attack scenarios involving them would be the most straightforward.
Both ActiveX controls and Word documents can be delivered via either
web pages or HTML mails. ActiveX controls can be automatically
invoked via script, and Word documents can be automatically opened
via script unless the user has applied the Office Document Open
Confirmation Tool. 

However, even though the certificates say they are owned by
Microsoft, they are not bona fide Microsoft certificates, and content
signed by them would not be trusted by default. Trust is defined on a
certificate-by-certificate basis, rather than on the basis of the
common name. As a result, a warning dialogue would be displayed
before any of the signed content could be executed, even if the user
had previously agreed to trust other certificates with the common
name "Microsoft Corporation". The danger, of course, is that even a
security-conscious user might agree to let the content execute, and
might agree to always trust the bogus certificates. 

VeriSign has revoked the certificates, and they are listed in
VeriSign's current Certificate Revocation List (CRL). However,
because VeriSign's code-signing certificates do not specify a CRL
Distribution Point (CDP), it is not possible for any browser's
CRL-checking mechanism to download the VeriSign CRL and use it.
Microsoft is developing an update that rectifies this problem. The
update package includes a CRL containing the two certificates, and an
installable revocation handler that consults the CRL on the local
machine, rather than attempting to use the CDP mechanism. 

Versions of the update are being prepared for all Microsoft platforms
released since 1995. However, because of the large number of
platforms that must be tested, the patches are not available at this
writing. Until the update is available, we urge customers to take
some or all of the following steps to protect themselves should they
encounter hostile code signed by one of the certificates. 
 - Visually inspect the certificates cited in all warning 
   dialogues. The two certificates at issue here were issued 
   on 29 and 30 January 2001, respectively. No bona fide 
   Microsoft certificates were issued on these dates. The 
   FAQ and Knowledge Base article Q293817 provide complete 
   details regarding both certificates. 
 - Install the Outlook Email Security Update 
   (http://www.officeupdate.com/2000/downloadDetails/Out2ksec.htm) 
   to prevent mail-borne programs from being launched, even via 
   signed components, and install the Office Document Open 
   Confirmation Tool 
   (http://officeupdate.microsoft.com/downloadDetails/confirm.htm)
   to force web pages to request permission before opening Office 
   documents. 
 - Consider temporarily removing the VeriSign Commercial Software 
   Publishers CA certificate from the Trusted Root Store. Knowledge
   Base article Q293819 provides details on how to do this. 

Mitigating Factors:
====================
 - The certificates are not trusted by default. As a result, 
   neither code nor ActiveX controls could be made to run without 
   displaying a warning dialogue. By viewing the certificate in 
   such dialogues, users can easily recognize the certificates. 
 - The certificates are not the bona fide Microsoft code-signing 
   certificates. Content signed by those keys can be distinguished 
   from bona fide Microsoft content. 

Patch Availability:
===================
 - A software update is under development and will be released 
   shortly. When it is available, we will update this bulletin 
   to provide information on how to obtain and use it. 


- - ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.



- -----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOrodSI0ZSRQxA/UrAQF5ogf+PPlBgMNKx1hSjvUpKCOOGC3vnSGx5rfF
AbMlLePETm/tfrmyodtL6Gnsi/Upakt20np8Z7xvxDA9+HybF7oDOY4uSZhmyKu9
kkttEKWA4JmyQbNt4bZw0Rv9iXZttdcd+spmkDg5ntukhQmnEOj8gBnJfXrJEqg8
3pjnrSJlz1RZ20XLrLMhsQe55eolgrnb2szUFNxFV4tN61TvtIUlO0vcnRgc6ZFG
2tLo6IZqH+yESt10WhlwLVjmef1QrtkGox3S4JGWdahjbmKAgS+ITH86uGY8L40D
VBVS4tYX1h0N194n5AimxyV79A1VlqWzXOcbJ4oeZrKWB0gIt+7Cqw==
=QWGt
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This alert is provided as a service to AusCERT's members.  As AusCERT did
not write the document quoted above, AusCERT has had no control over its
content.  The decision to use any or all of this information is the
responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the alert.  It may not be
updated when updates to the original are made.  If downloading at a later
date, it is recommended that the bulletin is retrieved directly from the
original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the alert above.  If you have any questions or need further information,
please contact them directly.

Previous advisories, alerts and external security bulletins can be
retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOrtHKSh9+71yA2DNAQHw3wQAlf7smG8oxGXKsI56s8JfYNZD8XwIU8ix
P/5+tX8Mhn+N3tcHkHN7ZWEqlU7oRyO++wibyRdMTC43wAyq7SV+++2s+aCXSeNL
VnD8MGsAQf+Zz4nU1u4SMJtqJbof3XbQdU+J6ENJZpMBL2c6fYT6O9AAWSouf5GD
cOjQfYtEk+k=
=Hy7U
-----END PGP SIGNATURE-----



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH