Security Flaw in how Outlook verifies Digital Signatures

Discussion in 'Computer Security' started by Roberto Franceschetti, Feb 17, 2005.

  1. This report is also available graphically at
    http://www.logsat.com/Signatures

    On 10/21/2004 the following vulnerability was reported to Microsoft:

    Security Flaw with Digital signatures in Microsoft Outlook -
    Emails in Microsoft Outlook digitally signed with S/MIME using either a
    commercial personal certificate like Verisign or using a certificate issued
    by MS Certificate Server can be altered. Outlook will not show any warnings
    about the email being changed, the digital signature will still be
    reported valid even though the message content has been modified and
    parties involved in the signatures changed.
    This is an extremely serious flaw as I can change any digitally signed
    emails I want without Outlook ever noticing.
    After several emails with Microsoft and CERT during the months that
    followed, no fixes have been issued to correct this security flaw. It is
    only now that I am making this information public after all my attempts to
    have Microsoft resolve the problem have failed.

    The following are 3 digitally signed messages. The 1st one is a valid,
    unmodified email from Roberto Franceschetti (roberto at logsat.com) to
    support at logsat.com: (follow the hyperlinks for the email's source and
    screenshots)

    Screenshot at http://www.logsat.com/Signatures/Valid.gif
    Email's source at http://www.logsat.com/Signatures/Valid.msg


    The following one has been "hacked" so that the sender now appears to be
    "Hackers Franceschetti" (). Note that Outlook states that
    the email is absolutely valid, and that the certificate is Valid and
    Trusted. This is most definitely not the case, as I've altered the original
    message to make it appear as a different person actually sent it. Imagine
    the scenario where a digital signature is supposed to unequivocally identify
    a sender, but now this email that appears to be sent by "hackers" appears
    legitimate, and a poor victim will trust it and send the hacker any
    confidential information he is asked for... (follow the hyperlinks for the
    email's source):

    Screenshot at http://www.logsat.com/Signatures/Hacked1.gif
    Email's source at http://www.logsat.com/Signatures/Hacked1.msg


    This 3rd email is yet another variation showing how a digitally signed email
    can further be forget without Outlook ever raising warning flags (follow the
    hyperlinks for the email's source):

    Screenshot at http://www.logsat.com/Signatures/Hacked2.gif
    Email's source at http://www.logsat.com/Signatures/Hacked2.msg



    The full emails with the conversations between myself, Microsoft and CERT
    can be found here (http://www.logsat.com/Signatures/emails.asp). I hope that
    by making this information public all the users who rely on digital
    signatures will be aware of this severe security flaw in Microsoft Outlook,
    and will take other precautions to ensure the identity of users in digitally
    signed emails they receive.
    Roberto Franceschetti
    LogSat Software
    roberto at sign logsat.com
     
    Roberto Franceschetti, Feb 17, 2005
    #1
    1. Advertising

  2. Roberto Franceschetti wrote:

    > This report is also available graphically at
    > http://www.logsat.com/Signatures
    >


    <snip>

    Thanks for the info. I can't believe that MS has done nothing about this as
    some companies use this for sending critical information. Figures MS has
    really dropped the ball on so many fronts that nothing they do really
    surprises me any more. I have been using there crap ware since DOS 2.1 at
    least back then they they did not have their head too far up their butt...

    In any case thanks, at least people can be warned...

    Michael
     
    Michael J. Pelletier, Feb 18, 2005
    #2
    1. Advertising

  3. Roberto Franceschetti

    Vanguard Guest

    "Roberto Franceschetti" <>
    wrote in message news:iY7Rd.98502$...

    <snip - same multi-posted message found in microsoft.public.outlook
    group>

    And the need to multi-post the SAME message to multiple newsgroups was?
    Cross-post please.

    --
    ____________________________________________________________
    Post your replies to the newsgroup. Share with others.
    E-mail reply: Remove "NIXTHIS" and add "#VS811" to Subject.
    ____________________________________________________________
     
    Vanguard, Feb 18, 2005
    #3
  4. Roberto Franceschetti

    donnie Guest

    Cross Post was Re: Security Flaw in how Outlook verifies Digital Signatures

    On Fri, 18 Feb 2005 00:28:00 -0600, "Vanguard"
    <> wrote:

    >And the need to multi-post the SAME message to multiple newsgroups was?
    >Cross-post please.

    #############################
    Why do some people say don't cross post and others request it?
    donnie.
     
    donnie, Feb 19, 2005
    #4
  5. Roberto Franceschetti

    Leythos Guest

    Re: Cross Post was Re: Security Flaw in how Outlook verifies Digital Signatures

    On Sat, 19 Feb 2005 01:08:15 +0000, donnie wrote:

    > On Fri, 18 Feb 2005 00:28:00 -0600, "Vanguard"
    > <> wrote:
    >
    >>And the need to multi-post the SAME message to multiple newsgroups was?
    >>Cross-post please.

    > #############################
    > Why do some people say don't cross post and others request it?
    > donnie.


    Cross posting to fewer than 5~7 groups is the proper way and allows proper
    Usenet readers to click on the post in ONE group and mark it as read for
    all of them, it also allows all participants across all groups it was
    posted to see any reply.

    Multi-Post is much like spam, it creates separate messages in each group
    and none of them are linked to each other - this means that a discussion
    in one group may not been seen my participants in another group with the
    same original post.

    Posting to more than 5~7 groups is always consider improper and in bad
    form.


    --

    remove 999 in order to email me
     
    Leythos, Feb 19, 2005
    #5
  6. Re: Cross Post was Re: Security Flaw in how Outlook verifies Digital Signatures

    Yes I admit the mistake. I had a multi-post to 6 groups I believe. The
    postings were done manually as I was finding appropriate groups and websites
    to make the information public. It was not intended as spam, but as ideas of
    were to post the info came to mind, I acted upon them...
    The conversation is continuing on microsoft.public.outlook

    Roberto Franceschetti

    "Leythos" <> wrote in message
    news:p...
    > On Sat, 19 Feb 2005 01:08:15 +0000, donnie wrote:
    >
    >> On Fri, 18 Feb 2005 00:28:00 -0600, "Vanguard"
    >> <> wrote:
    >>
    >>>And the need to multi-post the SAME message to multiple newsgroups was?
    >>>Cross-post please.

    >> #############################
    >> Why do some people say don't cross post and others request it?
    >> donnie.

    >
    > Cross posting to fewer than 5~7 groups is the proper way and allows proper
    > Usenet readers to click on the post in ONE group and mark it as read for
    > all of them, it also allows all participants across all groups it was
    > posted to see any reply.
    >
    > Multi-Post is much like spam, it creates separate messages in each group
    > and none of them are linked to each other - this means that a discussion
    > in one group may not been seen my participants in another group with the
    > same original post.
    >
    > Posting to more than 5~7 groups is always consider improper and in bad
    > form.
    >
    >
    > --
    >
    > remove 999 in order to email me
    >
     
    Roberto Franceschetti, Feb 19, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ch. Rajinder Nijjhar Jatt

    How to sort the list of signatures in the Outlook Express?

    Ch. Rajinder Nijjhar Jatt, May 4, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    474
    Ch. Rajinder Nijjhar Jatt
    May 4, 2005
  2. Imhotep

    MS outlook and IE security flaw...

    Imhotep, Sep 9, 2005, in forum: Computer Security
    Replies:
    0
    Views:
    422
    Imhotep
    Sep 9, 2005
  3. .
    Replies:
    9
    Views:
    1,139
    Spider
    Nov 19, 2005
  4. Au79
    Replies:
    0
    Views:
    512
  5. E-Lock Digital Signature

    Digital Signatures in PDF documents for complete security and privacy

    E-Lock Digital Signature, Apr 27, 2007, in forum: Computer Support
    Replies:
    0
    Views:
    659
    E-Lock Digital Signature
    Apr 27, 2007
Loading...

Share This Page