Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Security Flaw in how Outlook verifies Digital Signatures

Reply
Thread Tools

Security Flaw in how Outlook verifies Digital Signatures

 
 
Roberto Franceschetti
Guest
Posts: n/a
 
      02-17-2005
This report is also available graphically at
http://www.logsat.com/Signatures

On 10/21/2004 the following vulnerability was reported to Microsoft:

Security Flaw with Digital signatures in Microsoft Outlook -
Emails in Microsoft Outlook digitally signed with S/MIME using either a
commercial personal certificate like Verisign or using a certificate issued
by MS Certificate Server can be altered. Outlook will not show any warnings
about the email being changed, the digital signature will still be
reported valid even though the message content has been modified and
parties involved in the signatures changed.
This is an extremely serious flaw as I can change any digitally signed
emails I want without Outlook ever noticing.
After several emails with Microsoft and CERT during the months that
followed, no fixes have been issued to correct this security flaw. It is
only now that I am making this information public after all my attempts to
have Microsoft resolve the problem have failed.

The following are 3 digitally signed messages. The 1st one is a valid,
unmodified email from Roberto Franceschetti (roberto at logsat.com) to
support at logsat.com: (follow the hyperlinks for the email's source and
screenshots)

Screenshot at http://www.logsat.com/Signatures/Valid.gif
Email's source at http://www.logsat.com/Signatures/Valid.msg


The following one has been "hacked" so that the sender now appears to be
"Hackers Franceschetti" ((E-Mail Removed)). Note that Outlook states that
the email is absolutely valid, and that the certificate is Valid and
Trusted. This is most definitely not the case, as I've altered the original
message to make it appear as a different person actually sent it. Imagine
the scenario where a digital signature is supposed to unequivocally identify
a sender, but now this email that appears to be sent by "hackers" appears
legitimate, and a poor victim will trust it and send the hacker any
confidential information he is asked for... (follow the hyperlinks for the
email's source):

Screenshot at http://www.logsat.com/Signatures/Hacked1.gif
Email's source at http://www.logsat.com/Signatures/Hacked1.msg


This 3rd email is yet another variation showing how a digitally signed email
can further be forget without Outlook ever raising warning flags (follow the
hyperlinks for the email's source):

Screenshot at http://www.logsat.com/Signatures/Hacked2.gif
Email's source at http://www.logsat.com/Signatures/Hacked2.msg



The full emails with the conversations between myself, Microsoft and CERT
can be found here (http://www.logsat.com/Signatures/emails.asp). I hope that
by making this information public all the users who rely on digital
signatures will be aware of this severe security flaw in Microsoft Outlook,
and will take other precautions to ensure the identity of users in digitally
signed emails they receive.
Roberto Franceschetti
LogSat Software
roberto at sign logsat.com


 
Reply With Quote
 
 
 
 
Michael J. Pelletier
Guest
Posts: n/a
 
      02-18-2005
Roberto Franceschetti wrote:

> This report is also available graphically at
> http://www.logsat.com/Signatures
>


<snip>

Thanks for the info. I can't believe that MS has done nothing about this as
some companies use this for sending critical information. Figures MS has
really dropped the ball on so many fronts that nothing they do really
surprises me any more. I have been using there crap ware since DOS 2.1 at
least back then they they did not have their head too far up their butt...

In any case thanks, at least people can be warned...

Michael
 
Reply With Quote
 
 
 
 
Vanguard
Guest
Posts: n/a
 
      02-18-2005
"Roberto Franceschetti" <(E-Mail Removed)>
wrote in message news:iY7Rd.98502$(E-Mail Removed) ...

<snip - same multi-posted message found in microsoft.public.outlook
group>

And the need to multi-post the SAME message to multiple newsgroups was?
Cross-post please.

--
__________________________________________________ __________
Post your replies to the newsgroup. Share with others.
E-mail reply: Remove "NIXTHIS" and add "#VS811" to Subject.
__________________________________________________ __________

 
Reply With Quote
 
donnie
Guest
Posts: n/a
 
      02-19-2005
On Fri, 18 Feb 2005 00:28:00 -0600, "Vanguard"
<(E-Mail Removed)> wrote:

>And the need to multi-post the SAME message to multiple newsgroups was?
>Cross-post please.

#############################
Why do some people say don't cross post and others request it?
donnie.
 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      02-19-2005
On Sat, 19 Feb 2005 01:08:15 +0000, donnie wrote:

> On Fri, 18 Feb 2005 00:28:00 -0600, "Vanguard"
> <(E-Mail Removed)> wrote:
>
>>And the need to multi-post the SAME message to multiple newsgroups was?
>>Cross-post please.

> #############################
> Why do some people say don't cross post and others request it?
> donnie.


Cross posting to fewer than 5~7 groups is the proper way and allows proper
Usenet readers to click on the post in ONE group and mark it as read for
all of them, it also allows all participants across all groups it was
posted to see any reply.

Multi-Post is much like spam, it creates separate messages in each group
and none of them are linked to each other - this means that a discussion
in one group may not been seen my participants in another group with the
same original post.

Posting to more than 5~7 groups is always consider improper and in bad
form.


--
http://www.velocityreviews.com/forums/(E-Mail Removed)
remove 999 in order to email me

 
Reply With Quote
 
Roberto Franceschetti
Guest
Posts: n/a
 
      02-19-2005
Yes I admit the mistake. I had a multi-post to 6 groups I believe. The
postings were done manually as I was finding appropriate groups and websites
to make the information public. It was not intended as spam, but as ideas of
were to post the info came to mind, I acted upon them...
The conversation is continuing on microsoft.public.outlook

Roberto Franceschetti

"Leythos" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
> On Sat, 19 Feb 2005 01:08:15 +0000, donnie wrote:
>
>> On Fri, 18 Feb 2005 00:28:00 -0600, "Vanguard"
>> <(E-Mail Removed)> wrote:
>>
>>>And the need to multi-post the SAME message to multiple newsgroups was?
>>>Cross-post please.

>> #############################
>> Why do some people say don't cross post and others request it?
>> donnie.

>
> Cross posting to fewer than 5~7 groups is the proper way and allows proper
> Usenet readers to click on the post in ONE group and mark it as read for
> all of them, it also allows all participants across all groups it was
> posted to see any reply.
>
> Multi-Post is much like spam, it creates separate messages in each group
> and none of them are linked to each other - this means that a discussion
> in one group may not been seen my participants in another group with the
> same original post.
>
> Posting to more than 5~7 groups is always consider improper and in bad
> form.
>
>
> --
> (E-Mail Removed)
> remove 999 in order to email me
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
Digital Signatures in PDF documents for complete security and privacy E-Lock Digital Signature Computer Support 0 04-27-2007 06:28 AM
Outlook TNEF flaw could be much worse than WMF flaw Au79 Computer Support 0 01-13-2006 10:48 PM
MS outlook and IE security flaw... Imhotep Computer Security 0 09-09-2005 04:45 AM
How to sort the list of signatures in the Outlook Express? Ch. Rajinder Nijjhar Jatt Computer Support 3 05-04-2005 02:29 PM



Advertisments