|
PureBytes Links
Trading Reference Links
|
Hi,
I don't usually post off topic items, but this seems like a large
potential risk to me, one i haven't seen posted anywhere else.
regards,
tbr
CERT Advisory wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2001-04 Unauthentic "Microsoft Corporation" Certificates
>
> Original release date: March 22, 2001
> Last revised: March 22, 2001
> Source: CERT/CC
>
> A complete revision history can be found at the end of this file.
>
> Systems Affected
>
> Systems whose users run code signed by Microsoft Corporation.
>
> Overview
>
> On January 29 and 30, 2001, VeriSign, Inc. issued two certificates to
> an individual fraudulently claiming to be an employee of Microsoft
> Corporation. Any code signed by these certificates will appear to be
> legitimately signed by Microsoft when, in fact, it is not. Although
> users who try to run code signed with these certificates will
> generally be presented with a warning dialog, there will not be any
> obvious reason to believe that the certificate is not authentic.
>
> I. Description
>
> Microsoft released a security bulletin on March 22, 2001, describing
> two certificates issued by VeriSign to an individual fraudulently
> claiming to be an employee of Microsoft. The full text of Microsoft's
> security bulletin is available from their web site at
>
> http://www.microsoft.com/technet/security/bulletin/MS01-017.asp
>
> Additional information about this issue is also available from
> VeriSign's web site:
>
> http://www.verisign.com/developer/notice/authenticode/index.html
>
> This issue presents a security risk because even a reasonably cautious
> user could be deceived into trusting the bogus certificates, since
> they appear to be from Microsoft. Once accepted, these certificates
> may allow an attacker to execute malicious code on the user's system.
>
> This problem is the result of a failure by the certificate authority
> to correctly authenticate the recipient of a certificate. Verisign has
> taken the appropriate action by revoking the certificates in question.
> However, this in itself is insufficient to prevent the malicious use
> of these certificates until a patch has been installed, because
> Internet Explorer does not check for such revocations automatically.
>
> II. Impact
>
> Anyone with the private portions of the certificates can sign code
> such that it appears to have originated from Microsoft Corporation. If
> the user approves the execution of code signed by one of the bogus
> certificates, it can take any action on the system with the privileges
> of the user who approved the execution. The fake certificates can only
> be used for Authenticode signing.
>
> III. Solution
>
> Check "Microsoft Corporation" Certificates
>
> You can identify the fake certificates by checking the validity dates
> and serial numbers of the certificates. When prompted to authorize the
> execution of code signed by "Microsoft Corporation", press the "More
> Info" button to obtain additional information about the certificate
> used to sign the code.
>
> The fake certificates have the following description:
>
> Issued to: Microsoft Corporation
> Issued by: VeriSign Commercial Software Publishers CA
> Valid from 1/29/2001 to 1/30/2002
> Serial number is 1B51 90F7 3724 399C 9254 CD42 4637 996A
>
> Issued to: Microsoft Corporation
> Issued by: VeriSign Commercial Software Publishers CA
> Valid from 1/30/2001 to 1/31/2002
> Serial number is 750E 40FF 97F0 47ED F556 C708 4EB1 ABFD
>
> No legitimate certificates were issued to Microsoft between January 29
> and 30, 2001. Certificates with these initial validity dates or serial
> numbers should not be authorized to execute code.
>
> The certificate revocation list for the fake certificates can be found
> at
>
> http://crl.verisign.com/Class3SoftwarePublishers.crl
>
> Apply a Patch from Your Vendor
>
> While there do not appear to be any patches available at this time
> that directly address this issue, Microsoft is working on producing
> patches that will ensure the invalid certificates are not used.
>
> Appendix A. - Vendor Information
>
> Microsoft Corporation
>
> Microsoft has published a security bulletin describing this issue at
>
> http://www.microsoft.com/technet/security/bulletin/MS01-017.asp
>
> Netscape
>
> Netscape takes all security and privacy issues very seriously. The
> Netscape browser does not allow the execution of ActiveX controls,
> signed or unsigned, and therefore Netscape users are not vulnerable to
> exploits which rely on signed ActiveX. In the unlikely event that
> Netscape users are presented with signed content from Microsoft
> requesting enhanced privileges, Netscape users can protect themselves
> by denying permission to any such request.
> ______________________________________________________________________
|