Security Flaw in Microsoft Outlook and Digital Signatures - Windows NT

This is a discussion on Security Flaw in Microsoft Outlook and Digital Signatures - Windows NT ; This report is also available graphically at http://logsat.com/Signatures On 10/21/2004 the following vulnerability was reported to Microsoft: Security Flaw with Digital signatures in Microsoft Outlook - Emails in Microsoft Outlook digitally signed with S/MIME using either a commercial personal certificate ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Security Flaw in Microsoft Outlook and Digital Signatures

  1. Security Flaw in Microsoft Outlook and Digital Signatures

    This report is also available graphically at
    http://logsat.com/Signatures

    On 10/21/2004 the following vulnerability was reported to Microsoft:

    Security Flaw with Digital signatures in Microsoft Outlook -
    Emails in Microsoft Outlook digitally signed with S/MIME using either a
    commercial personal certificate like Verisign or using a certificate
    issued by MS Certificate Server can be altered. Outlook will not show
    any warnings
    about the email being changed, the digital signature will still be
    reported valid even though the message content has been modified and
    parties involved in the signatures changed.
    This is an extremely serious flaw as I can change any digitally signed
    emails I want without Outlook ever noticing.
    After several emails with Microsoft and CERT during the months that
    followed, no fixes have been issued to correct this security flaw. It
    is only now that I am making this information public after all my
    attempts to have Microsoft resolve the problem have failed.

    The following are 3 digitally signed messages. The 1st one is a valid,
    unmodified email from Roberto Franceschetti (roberto@logsat.com) to
    support@logsat.com: (follow the hyperlinks for the email's source and
    screenshots)

    Screenshot at http://logsat.com/Signatures/Valid.gif
    Email's source at http://logsat.com/Signatures/Valid.msg


    The following one has been "hacked" so that the sender now appears to
    be "Hackers Franceschetti" (hackers@logsat.com). Note that Outlook
    states that the email is absolutely valid, and that the certificate is
    Valid and Trusted. This is most definitely not the case, as I've
    altered the original message to make it appear as a different person
    actually sent it. Imagine the scenario where a digital signature is
    supposed to unequivocally identify a sender, but now this email that
    appears to be sent by "hackers" appears legitimate, and a poor victim
    will trust it and send the hacker any confidential information he is
    asked for... (follow the hyperlinks for the email's source):

    Screenshot at http://logsat.com/Signatures/Hacked1.gif
    Email's source at http://logsat.com/Signatures/Hacked1.msg


    This 3rd email is yet another variation showing how a digitally signed
    email can further be forget without Outlook ever raising warning flags
    (follow the hyperlinks for the email's source):

    Screenshot at http://logsat.com/Signatures/Hacked2.gif
    Email's source at http://logsat.com/Signatures/Hacked2.msg



    The full emails with the conversations between myself, Microsoft and
    CERT can be found here (http://www.logsat.com/Signatures/emails.asp). I
    hope that by making this information public all the users who rely on
    digital signatures will be aware of this severe security flaw in
    Microsoft Outlook, and will take other precautions to ensure the
    identity of users in digitally signed emails they receive.
    Roberto Franceschetti
    LogSat Software
    roberto@logsat.com


  2. Re: Security Flaw in Microsoft Outlook and Digital Signatures



    roberto@logsat.com wrote:

    > Security Flaw with Digital signatures in Microsoft Outlook -
    > Emails in Microsoft Outlook digitally signed with S/MIME using either a
    > commercial personal certificate like Verisign or using a certificate
    > issued by MS Certificate Server can be altered. Outlook will not show
    > any warnings
    > about the email being changed, the digital signature will still be
    > reported valid even though the message content has been modified and
    > parties involved in the signatures changed.
    > This is an extremely serious flaw as I can change any digitally signed
    > emails I want without Outlook ever noticing.


    To make a long story short, if I understand correctly, the problem you are
    reporting is that Microsoft Outlook does not compare the "From:" line of an
    email message to the email address on the signing certificate?

    If so, I would agree that the user interface is potentially misleading - it
    probably should not show the "From:" address in the context of signature
    validation, since the "From:" address is not what the signature is intended
    to authenticate.

    Thor

    --
    http://www.anta.net/OH2GDF

  3. Re: Security Flaw in Microsoft Outlook and Digital Signatures

    Correct, it is not. Any email can be forged to make it appear as it was sent
    by a different address/name. Think of it as someone forging an ink signature
    on a piece of paper. If you dig down deep in the certificate you will
    eventually see that it does not correspond to the sender, however your
    average computer user will not be able to do that, just like an average
    person will not be able to detect forged signatures on paper.

    Given that digital signatures are designed to ensure that documents are not
    altered, and that technology should be as much foolproof as possible, the
    ease with which anyone can forge a digital signature without Outlook
    noticing is very troublesome.

    Please note that the smaller brother, Outlook Express, along with the
    various free products like Thunderbird, Netscape etc, will, correctly,
    immediately and very visibly inform the user that the email was forged.

    Roberto Franceschetti


    "Thor Kottelin" wrote in message
    news:4213C0DE.7CA61827@anta.net...
    >
    >
    > roberto@logsat.com wrote:
    >
    >> Security Flaw with Digital signatures in Microsoft Outlook -
    >> Emails in Microsoft Outlook digitally signed with S/MIME using either a
    >> commercial personal certificate like Verisign or using a certificate
    >> issued by MS Certificate Server can be altered. Outlook will not show
    >> any warnings
    >> about the email being changed, the digital signature will still be
    >> reported valid even though the message content has been modified and
    >> parties involved in the signatures changed.
    >> This is an extremely serious flaw as I can change any digitally signed
    >> emails I want without Outlook ever noticing.

    >
    > To make a long story short, if I understand correctly, the problem you are
    > reporting is that Microsoft Outlook does not compare the "From:" line of
    > an
    > email message to the email address on the signing certificate?
    >
    > If so, I would agree that the user interface is potentially misleading -
    > it
    > probably should not show the "From:" address in the context of signature
    > validation, since the "From:" address is not what the signature is
    > intended
    > to authenticate.
    >
    > Thor
    >
    > --
    > http://www.anta.net/OH2GDF




+ Reply to Thread