[thelist] FW: Microsoft Security Bulletin MS01-017
Scott Dexter
sgd at ti3.com
Thu Mar 22 13:52:33 CST 2001
This is *HUGE* and you need to read through all of it.
Please, don't take this as an opportunity to MS-bash. Thanks
sgd
--
work: http://www.ti3.com/
non: http://thinksafely.org/
> -----Original Message-----
> From: Microsoft Product Security [mailto:secnotif at MICROSOFT.COM]
> Sent: Thursday, March 22, 2001 9:42 AM
> To: MICROSOFT_SECURITY at ANNOUNCE.MICROSOFT.COM
> Subject: Microsoft Security Bulletin MS01-017
>
>
> The following is a Security Bulletin from the Microsoft
> Product Security
> Notification Service.
>
> Please do not reply to this message, as it was sent from
> an unattended
> mailbox.
> ********************************
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> -
> ----------------------------------------------------------------------
> Title: Erroneous VeriSign-Issued Digital Certificates Pose
> Spoofing Hazard
> Date: 22 March 2001
> Software: All Microsoft customers should read the bulletin.
> Impact: Attacker could digitally sign code using the name
> "Microsoft Corporation".
> Bulletin: MS01-017
>
> Microsoft encourages customers to review the Security Bulletin at:
> http://www.microsoft.com/technet/security/bulletin/MS01-017.asp.
> -
> ----------------------------------------------------------------------
>
> Issue:
> ======
> VeriSign, Inc., recently advised Microsoft that on January 30 and 31,
> 2001, it issued two VeriSign Class 3 code-signing digital
> certificates to an individual who fraudulently claimed to be a
> Microsoft employee. The common name assigned to both certificates is
> "Microsoft Corporation". The ability to sign executable content using
> keys that purport to belong to Microsoft would clearly be
> advantageous to an attacker who wished to convince users to allow the
> content to run.
> The certificates could be used to sign programs, ActiveX controls,
> Office macros, and other executable content. Of these, signed ActiveX
> controls and Office macros would pose the greatest risk, because the
> attack scenarios involving them would be the most straightforward.
> Both ActiveX controls and Word documents can be delivered via either
> web pages or HTML mails. ActiveX controls can be automatically
> invoked via script, and Word documents can be automatically opened
> via script unless the user has applied the Office Document Open
> Confirmation Tool.
>
> However, even though the certificates say they are owned by
> Microsoft, they are not bona fide Microsoft certificates, and content
> signed by them would not be trusted by default. Trust is defined on a
> certificate-by-certificate basis, rather than on the basis of the
> common name. As a result, a warning dialogue would be displayed
> before any of the signed content could be executed, even if the user
> had previously agreed to trust other certificates with the common
> name "Microsoft Corporation". The danger, of course, is that even a
> security-conscious user might agree to let the content execute, and
> might agree to always trust the bogus certificates.
>
> VeriSign has revoked the certificates, and they are listed in
> VeriSign's current Certificate Revocation List (CRL). However,
> because VeriSign's code-signing certificates do not specify a CRL
> Distribution Point (CDP), it is not possible for any browser's
> CRL-checking mechanism to download the VeriSign CRL and use it.
> Microsoft is developing an update that rectifies this problem. The
> update package includes a CRL containing the two certificates, and an
> installable revocation handler that consults the CRL on the local
> machine, rather than attempting to use the CDP mechanism.
>
> Versions of the update are being prepared for all Microsoft platforms
> released since 1995. However, because of the large number of
> platforms that must be tested, the patches are not available at this
> writing. Until the update is available, we urge customers to take
> some or all of the following steps to protect themselves should they
> encounter hostile code signed by one of the certificates.
> - Visually inspect the certificates cited in all warning
> dialogues. The two certificates at issue here were issued
> on 29 and 30 January 2001, respectively. No bona fide
> Microsoft certificates were issued on these dates. The
> FAQ and Knowledge Base article Q293817 provide complete
> details regarding both certificates.
> - Install the Outlook Email Security Update
> (http://www.officeupdate.com/2000/downloadDetails/Out2ksec.htm)
> to prevent mail-borne programs from being launched, even via
> signed components, and install the Office Document Open
> Confirmation Tool
> (http://officeupdate.microsoft.com/downloadDetails/confirm.htm)
> to force web pages to request permission before opening Office
> documents.
> - Consider temporarily removing the VeriSign Commercial Software
> Publishers CA certificate from the Trusted Root Store. Knowledge
> Base article Q293819 provides details on how to do this.
>
> Mitigating Factors:
> ====================
> - The certificates are not trusted by default. As a result,
> neither code nor ActiveX controls could be made to run without
> displaying a warning dialogue. By viewing the certificate in
> such dialogues, users can easily recognize the certificates.
> - The certificates are not the bona fide Microsoft code-signing
> certificates. Content signed by those keys can be distinguished
> from bona fide Microsoft content.
>
> Patch Availability:
> ===================
> - A software update is under development and will be released
> shortly. When it is available, we will update this bulletin
> to provide information on how to obtain and use it.
>
>
> -
> ---------------------------------------------------------------------
>
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
> "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
> WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
> SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
> DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
> CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
> MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
> POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
> OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
> THE FOREGOING LIMITATION MAY NOT APPLY.
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.3
>
> iQEVAwUBOrodSI0ZSRQxA/UrAQF5ogf+PPlBgMNKx1hSjvUpKCOOGC3vnSGx5rfF
> AbMlLePETm/tfrmyodtL6Gnsi/Upakt20np8Z7xvxDA9+HybF7oDOY4uSZhmyKu9
> kkttEKWA4JmyQbNt4bZw0Rv9iXZttdcd+spmkDg5ntukhQmnEOj8gBnJfXrJEqg8
> 3pjnrSJlz1RZ20XLrLMhsQe55eolgrnb2szUFNxFV4tN61TvtIUlO0vcnRgc6ZFG
> 2tLo6IZqH+yESt10WhlwLVjmef1QrtkGox3S4JGWdahjbmKAgS+ITH86uGY8L40D
> VBVS4tYX1h0N194n5AimxyV79A1VlqWzXOcbJ4oeZrKWB0gIt+7Cqw==
> =QWGt
> -----END PGP SIGNATURE-----
>
> *******************************************************************
> You have received this e-mail bulletin as a result of your
> registration
> to the Microsoft Product Security Notification
> Service. You may
> unsubscribe from this e-mail notification service at any
> time by sending
> an e-mail to
> MICROSOFT_SECURITY-SIGNOFF-REQUEST at ANNOUNCE.MICROSOFT.COM
> The subject line and message body are not used in processing
> the request,
> and can be anything you like.
>
> To verify the digital signature on this bulletin, please
> download our PGP
> key at http://www.microsoft.com/technet/security/notify.asp.
>
> For more information on the Microsoft Security
> Notification Service
> please visit
http://www.microsoft.com/technet/security/notify.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
More information about the thelist
mailing list