Security Flaw in how Outlook verifies Digital Signatures

Discussion in 'Computer Security' started by Roberto Franceschetti, Feb 17, 2005.

  1. This report is also available graphically at

    On 10/21/2004 the following vulnerability was reported to Microsoft:

    Security Flaw with Digital signatures in Microsoft Outlook -
    Emails in Microsoft Outlook digitally signed with S/MIME using either a
    commercial personal certificate like Verisign or using a certificate issued
    by MS Certificate Server can be altered. Outlook will not show any warnings
    about the email being changed, the digital signature will still be
    reported valid even though the message content has been modified and
    parties involved in the signatures changed.
    This is an extremely serious flaw as I can change any digitally signed
    emails I want without Outlook ever noticing.
    After several emails with Microsoft and CERT during the months that
    followed, no fixes have been issued to correct this security flaw. It is
    only now that I am making this information public after all my attempts to
    have Microsoft resolve the problem have failed.

    The following are 3 digitally signed messages. The 1st one is a valid,
    unmodified email from Roberto Franceschetti (roberto at to
    support at (follow the hyperlinks for the email's source and

    Screenshot at
    Email's source at

    The following one has been "hacked" so that the sender now appears to be
    "Hackers Franceschetti" (). Note that Outlook states that
    the email is absolutely valid, and that the certificate is Valid and
    Trusted. This is most definitely not the case, as I've altered the original
    message to make it appear as a different person actually sent it. Imagine
    the scenario where a digital signature is supposed to unequivocally identify
    a sender, but now this email that appears to be sent by "hackers" appears
    legitimate, and a poor victim will trust it and send the hacker any
    confidential information he is asked for... (follow the hyperlinks for the
    email's source):

    Screenshot at
    Email's source at

    This 3rd email is yet another variation showing how a digitally signed email
    can further be forget without Outlook ever raising warning flags (follow the
    hyperlinks for the email's source):

    Screenshot at
    Email's source at

    The full emails with the conversations between myself, Microsoft and CERT
    can be found here ( I hope that
    by making this information public all the users who rely on digital
    signatures will be aware of this severe security flaw in Microsoft Outlook,
    and will take other precautions to ensure the identity of users in digitally
    signed emails they receive.
    Roberto Franceschetti
    LogSat Software
    roberto at sign
    Roberto Franceschetti, Feb 17, 2005
    1. Advertisements

  2. <snip>

    Thanks for the info. I can't believe that MS has done nothing about this as
    some companies use this for sending critical information. Figures MS has
    really dropped the ball on so many fronts that nothing they do really
    surprises me any more. I have been using there crap ware since DOS 2.1 at
    least back then they they did not have their head too far up their butt...

    In any case thanks, at least people can be warned...

    Michael J. Pelletier, Feb 18, 2005
    1. Advertisements

  3. Roberto Franceschetti

    Vanguard Guest

    "Roberto Franceschetti" <>
    wrote in message
    <snip - same multi-posted message found in microsoft.public.outlook

    And the need to multi-post the SAME message to multiple newsgroups was?
    Cross-post please.
    Vanguard, Feb 18, 2005
  4. Roberto Franceschetti

    donnie Guest

    Why do some people say don't cross post and others request it?
    donnie, Feb 19, 2005
  5. Roberto Franceschetti

    Leythos Guest

    Cross posting to fewer than 5~7 groups is the proper way and allows proper
    Usenet readers to click on the post in ONE group and mark it as read for
    all of them, it also allows all participants across all groups it was
    posted to see any reply.

    Multi-Post is much like spam, it creates separate messages in each group
    and none of them are linked to each other - this means that a discussion
    in one group may not been seen my participants in another group with the
    same original post.

    Posting to more than 5~7 groups is always consider improper and in bad
    Leythos, Feb 19, 2005
  6. Yes I admit the mistake. I had a multi-post to 6 groups I believe. The
    postings were done manually as I was finding appropriate groups and websites
    to make the information public. It was not intended as spam, but as ideas of
    were to post the info came to mind, I acted upon them...
    The conversation is continuing on microsoft.public.outlook

    Roberto Franceschetti
    Roberto Franceschetti, Feb 19, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.