From secnotif@MICROSOFT.COM Thu Mar 29 16:12:03 2001 From: Microsoft Product Security To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 28 Mar 2001 17:40:59 -0800 Subject: [BUGTRAQ] Microsoft Security Bulletin MS01-017 (version 2.0) The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------- - - Title: Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard Released: 22 March 2001 Revised: 28 March 2001 (version 2.0) Software: All Microsoft operating systems Impact: Attacker could digitally sign code using the name "Microsoft Corporation". Bulletin: MS01-017 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-017.asp. - --------------------------------------------------------------------- - - Reason for Revision: ==================== The software update discussed in the original version of the bulletin is now available. Issue: ====== In mid-March 2001, VeriSign, Inc., advised Microsoft that on January 29 and 30, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation". The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run. The certificates could be used to sign programs, ActiveX controls, Office macros, and other executable content. Of these, signed ActiveX controls and Office macros would pose the greatest risk, because the attack scenarios involving them would be the most straightforward. Both ActiveX controls and Word documents can be delivered via either web pages or HTML mails. ActiveX controls can be automatically invoked via script, and Word documents can be automatically opened via script unless the user has applied the Office Document Open Confirmation Tool. Even though the certificates say they are owned by Microsoft, they are not bona fide Microsoft certificates, and content signed by them would not be trusted by default. Trust is defined on a certificate- by-certificate basis, rather than on the basis of the common name. As a result, a warning dialogue would be displayed before any of the signed content could be executed, even if the user had previously agreed to trust other certificates with the common name "Microsoft Corporation". The danger, of course, is that even a security- conscious user might agree to let the content execute, and might agree to always trust the bogus certificates. VeriSign has revoked the certificates, and they are listed in VeriSign's current Certificate Revocation List (CRL). However, because VeriSign's code-signing certificates do not specify a CRL Distribution Point (CDP), it is not possible for any browser's CRL- checking mechanism to locate and use the VeriSign CRL. Microsoft has developed an update that rectifies this problem. The update package includes a CRL containing the two certificates, and an installable revocation handler that consults the CRL on the local machine, rather than attempting to use the CDP mechanism. Customers should take notice of the caveats listed below in the section titled "Additional information about this patch", and in particular should note that the update will need to be re-installed when upgrading to any currently-available version of Windows or Internet Explorer. Versions of Windows beginning with Windows XP Gold and Windows 2000 Service Pack 2, and versions of Internet Explorer beginning with IE 6 will not require the update to be re-installed. Customers who do not wish to install the update should take the following steps to protect themselves in the event that they encounter hostile code signed by one of the certificates: - Visually inspect the certificates cited in all warning dialogues. The two certificates at issue here were issued on 29 and 30 January 2001, respectively. No bona fide Microsoft certificates were issued on these dates. The FAQ and Knowledge Base article Q293817 provide complete details regarding both certificates. - Install the Outlook Email Security Update (http://www.officeupdate.com/2000/downloadDetails/Out2ksec.htm) to prevent mail-borne programs from being launched, even via signed components, and install the Office Document Open Confirmation Tool (http://officeupdate.microsoft.com/downloadDetails/confirm.htm) to force web pages to request permission before opening Office documents. Mitigating Factors: ==================== - The certificates are not trusted by default. As a result, neither programs nor ActiveX controls could be made to run without displaying a warning dialogue. By viewing the certificate in such dialogues, users can easily recognize the certificates. - The certificates are not the bona fide Microsoft code-signing certificates. Content signed by those keys can be distinguished from bona fide Microsoft content. Patch Availability: =================== - A patch is available to fix this vulnerability. Please read Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-017.asp for information on obtaining this patch. - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOsKSq40ZSRQxA/UrAQH1Fgf/cCCX2BadVfwic8mFKOVZy2vMTa+dKxLa aSxO4qUuhZHMj0/uhbSzEZEtlvnnzFisDVhxrrVmUBOR1DbSbX3qHC3SOmCwEjbN Gi1vei7HgCTEKSStTyElCarbGDudVRLQsP7CC0O7dCOQ6gApaRrXqYcLqhJVfwIM O7+yubtDtv+InM7u/eex3gRqHHJJE2jCi+wEAAGqHBT/esvLYkxTM4+4x7mScsHn P+VTACmj0Qc3NK3DwvIVOohpR1k6qIPJijvmoFnAti7yWuld4McUI4IBxHb8NFo1 E7bX7JXyZBrY5sx//o67pFjegISJlY6bD3iMZN0K+MGz/9sTIqjFLA== =765Q -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.