[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: CERT Advisory CA-2001-04]



PureBytes Links

Trading Reference Links

Hi,

I don't usually post off topic items, but this seems like a large
potential risk to me, one i haven't seen posted anywhere else.

regards,

tbr

CERT Advisory wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> CERT Advisory CA-2001-04 Unauthentic "Microsoft Corporation" Certificates
> 
>    Original release date: March 22, 2001
>    Last revised: March 22, 2001
>    Source: CERT/CC
> 
>    A complete revision history can be found at the end of this file.
> 
> Systems Affected
> 
>    Systems whose users run code signed by Microsoft Corporation.
> 
> Overview
> 
>    On January 29 and 30, 2001, VeriSign, Inc. issued two certificates to
>    an individual fraudulently claiming to be an employee of Microsoft
>    Corporation. Any code signed by these certificates will appear to be
>    legitimately signed by Microsoft when, in fact, it is not. Although
>    users who try to run code signed with these certificates will
>    generally be presented with a warning dialog, there will not be any
>    obvious reason to believe that the certificate is not authentic.
> 
> I. Description
> 
>    Microsoft released a security bulletin on March 22, 2001, describing
>    two certificates issued by VeriSign to an individual fraudulently
>    claiming to be an employee of Microsoft. The full text of Microsoft's
>    security bulletin is available from their web site at
> 
>        http://www.microsoft.com/technet/security/bulletin/MS01-017.asp
> 
>    Additional information about this issue is also available from
>    VeriSign's web site:
> 
>        http://www.verisign.com/developer/notice/authenticode/index.html
> 
>    This issue presents a security risk because even a reasonably cautious
>    user could be deceived into trusting the bogus certificates, since
>    they appear to be from Microsoft. Once accepted, these certificates
>    may allow an attacker to execute malicious code on the user's system.
> 
>    This problem is the result of a failure by the certificate authority
>    to correctly authenticate the recipient of a certificate. Verisign has
>    taken the appropriate action by revoking the certificates in question.
>    However, this in itself is insufficient to prevent the malicious use
>    of these certificates until a patch has been installed, because
>    Internet Explorer does not check for such revocations automatically.
> 
> II. Impact
> 
>    Anyone with the private portions of the certificates can sign code
>    such that it appears to have originated from Microsoft Corporation. If
>    the user approves the execution of code signed by one of the bogus
>    certificates, it can take any action on the system with the privileges
>    of the user who approved the execution. The fake certificates can only
>    be used for Authenticode signing.
> 
> III. Solution
> 
> Check "Microsoft Corporation" Certificates
> 
>    You can identify the fake certificates by checking the validity dates
>    and serial numbers of the certificates. When prompted to authorize the
>    execution of code signed by "Microsoft Corporation", press the "More
>    Info" button to obtain additional information about the certificate
>    used to sign the code.
> 
>    The fake certificates have the following description:
> 
>           Issued to: Microsoft Corporation
>           Issued by: VeriSign Commercial Software Publishers CA
>           Valid from 1/29/2001 to 1/30/2002
>           Serial number is 1B51 90F7 3724 399C 9254 CD42 4637 996A
> 
>           Issued to: Microsoft Corporation
>           Issued by: VeriSign Commercial Software Publishers CA
>           Valid from 1/30/2001 to 1/31/2002
>           Serial number is 750E 40FF 97F0 47ED F556 C708 4EB1 ABFD
> 
>    No legitimate certificates were issued to Microsoft between January 29
>    and 30, 2001. Certificates with these initial validity dates or serial
>    numbers should not be authorized to execute code.
> 
>    The certificate revocation list for the fake certificates can be found
>    at
> 
>           http://crl.verisign.com/Class3SoftwarePublishers.crl
> 
> Apply a Patch from Your Vendor
> 
>    While there do not appear to be any patches available at this time
>    that directly address this issue, Microsoft is working on producing
>    patches that will ensure the invalid certificates are not used.
> 
> Appendix A. - Vendor Information
> 
> Microsoft Corporation
> 
>    Microsoft has published a security bulletin describing this issue at
> 
>           http://www.microsoft.com/technet/security/bulletin/MS01-017.asp
> 
> Netscape
> 
>    Netscape takes all security and privacy issues very seriously. The
>    Netscape browser does not allow the execution of ActiveX controls,
>    signed or unsigned, and therefore Netscape users are not vulnerable to
>    exploits which rely on signed ActiveX. In the unlikely event that
>    Netscape users are presented with signed content from Microsoft
>    requesting enhanced privileges, Netscape users can protect themselves
>    by denying permission to any such request.
>    ______________________________________________________________________