lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050325162745.15769.qmail@mail.securityfocus.com> Date: Fri, 25 Mar 2005 18:47:09 +0200 From: "Adrian Floarea" <adrian.floarea@....ro> To: <bugtraq@...urityfocus.com> Subject: RE: Security Flaw with Digital signatures in Microsoft Outlook As I see the problem, Outlook shows the name of the sender from the email instead the name from the signing certificate. And, by the way, Outlook is not a the best S/MIME client in this moment in time. I think is better, for the moment, to use other products in order to signing and encrypting emails. For example Netscape (which is free), or other commercial products which in conjunctions with Outlook offer a better security. Regards, Adrian Floarea Information Security Department IT&C Division, UTI Systems SA Bucharest, Romania Email: adrian.floarea@....ro -----Original Message----- From: Roberto Franceschetti [mailto:roberto@...sat.com] Sent: Friday, March 25, 2005 10:21 PM To: bugtraq@...urityfocus.com Subject: Security Flaw with Digital signatures in Microsoft Outlook On 10/21/2004 the following vulnerability was reported to Microsoft: Security Flaw with Digital signatures in Microsoft Outlook - Emails in Microsoft Outlook digitally signed with S/MIME using either a commercial personal certificate like Verisign or using a certificate issued by MS Certificate Server can be altered. Outlook will not show any warnings about the email being changed, the digital signature will still be reported valid even though the message content has been modified and parties involved in the signatures changed. This is an extremely serious flaw as I can change any digitally signed emails I want without Outlook ever noticing. After several emails with Microsoft and CERT during the months that followed, no fixes have been issued to correct this security flaw. It is only now that I am making this information public after all my attempts to have Microsoft resolve the problem have failed. The following are 3 digitally signed messages. The 1st one is a valid, unmodified email from Roberto Franceschetti (roberto@...sat.com) to support@...sat.com: (follow the hyperlinks for the email's source and screenshots) Screenshot at http://www.logsat.com/Signatures/Valid.gif Email's source at http://www.logsat.com/Signatures/Valid.msg The following one has been "hacked" so that the sender now appears to be "Hackers Franceschetti" (hackers@...sat.com). Note that Outlook states that the email is absolutely valid, and that the certificate is Valid and Trusted. This is most definitely not the case, as I've altered the original message to make it appear as a different person actually sent it. Imagine the scenario where a digital signature is supposed to unequivocally identify a sender, but now this email that appears to be sent by "hackers" appears legitimate, and a poor victim will trust it and send the hacker any confidential information he is asked for... (follow the hyperlinks for the email's source): Screenshot at http://www.logsat.com/Signatures/Hacked1.gif Email's source at http://www.logsat.com/Signatures/Hacked1.msg This 3rd email is yet another variation showing how a digitally signed email can further be forget without Outlook ever raising warning flags (follow the hyperlinks for the email's source): Screenshot at http://www.logsat.com/Signatures/Hacked2.gif Email's source at http://www.logsat.com/Signatures/Hacked2.msg The full emails with the conversations between myself, Microsoft and CERT can be found here (http://www.logsat.com/Signatures/emails.asp). I hope that by making this information public all the users who rely on digital signatures will be aware of this severe security flaw in Microsoft Outlook, and will take other precautions to ensure the identity of users in digitally signed emails they receive. Roberto Franceschetti LogSat Software roberto@...sat.com
Powered by blists - more mailing lists