Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Security Flaw with Digital signatures in Microsoft Outlook

from [Adrian Floarea] Network Security [Permanent Link]
Subject: RE: Security Flaw with Digital signatures in Microsoft Outlook
Date: Fri, 25 Mar 2005 18:47:09 +0200 

As I see the problem, Outlook shows the name of the sender from the email
instead the name from the signing certificate. And, by the way, Outlook is
not a the best S/MIME client in this moment in time. I think is better, for
the moment, to use other products in order to signing and encrypting emails.
For example Netscape (which is free), or other commercial products which in
conjunctions with Outlook offer a better security.

Regards,

Adrian Floarea
Information Security Department
IT&C Division, UTI Systems SA
Bucharest, Romania
Email: adrian.floarea@uti.ro



-----Original Message-----
From: Roberto Franceschetti [mailto:roberto@logsat.com] 
Sent: Friday, March 25, 2005 10:21 PM
To: bugtraq@securityfocus.com
Subject: Security Flaw with Digital signatures in Microsoft Outlook



On 10/21/2004 the following vulnerability was reported to Microsoft:

Security Flaw with Digital signatures in Microsoft Outlook - Emails in
Microsoft Outlook digitally signed with S/MIME using either a commercial
personal certificate like Verisign or using a certificate issued by MS
Certificate Server can be altered. Outlook will not show any warnings about
the email being changed, the digital signature will still be reported valid
even though the message content has been modified and parties involved in
the signatures changed. This is an extremely serious flaw as I can change
any digitally signed emails I want without Outlook ever noticing. After
several emails with Microsoft and CERT during the months that followed, no
fixes have been issued to correct this security flaw. It is only now that I
am making this information public after all my attempts to have Microsoft
resolve the problem have failed.

The following are 3 digitally signed messages. The 1st one is a valid,
unmodified email from Roberto Franceschetti (roberto@logsat.com) to
support@logsat.com: (follow the hyperlinks for the email's source and
screenshots)

Screenshot at http://www.logsat.com/Signatures/Valid.gif
Email's source at http://www.logsat.com/Signatures/Valid.msg


The following one has been "hacked" so that the sender now appears to be
"Hackers Franceschetti" (hackers@logsat.com). Note that Outlook states that
the email is absolutely valid, and that the certificate is Valid and
Trusted. This is most definitely not the case, as I've altered the original
message to make it appear as a different person actually sent it. Imagine
the scenario where a digital signature is supposed to unequivocally identify
a sender, but now this email that appears to be sent by "hackers" appears
legitimate, and a poor victim will trust it and send the hacker any
confidential information he is asked for... (follow the hyperlinks for the
email's source):

Screenshot at http://www.logsat.com/Signatures/Hacked1.gif
Email's source at http://www.logsat.com/Signatures/Hacked1.msg


This 3rd email is yet another variation showing how a digitally signed email
can further be forget without Outlook ever raising warning flags (follow the
hyperlinks for the email's source):

Screenshot at http://www.logsat.com/Signatures/Hacked2.gif
Email's source at http://www.logsat.com/Signatures/Hacked2.msg



The full emails with the conversations between myself, Microsoft and CERT
can be found here (http://www.logsat.com/Signatures/emails.asp). I hope that
by making this information public all the users who rely on digital
signatures will be aware of this severe security flaw in Microsoft Outlook,
and will take other precautions to ensure the identity of users in digitally
signed emails they receive.

Roberto Franceschetti
LogSat Software
roberto@logsat.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Secure Science issues preview of their upcoming block cipher, David Covin
Next by Date:  Re: [bugtraq] Security Flaw with Digital signatures in Microsoft Outlook, Erwann ABALEA
Previous by Thread:  Security Flaw with Digital signatures in Microsoft Outlook, Roberto Franceschetti
Next by Thread:  Re: [bugtraq] Security Flaw with Digital signatures in Microsoft Outlook, Erwann ABALEA
Indexes:  [Date] [Thread] [Top] [All Lists]