Re: Security Flaw with Digital Signatures in Outlook

From: GT (DSS4u_at_+++nospam+++HOTMAIL.COM)
Date: 02/18/05 

Date: Thu, 17 Feb 2005 22:31:48 -0500

It appears to me that you do not accept MS' interpretation of the RFC. They
are saying that the headers (which include the sender's address) are not
supposed to be covered by the digital signature. If they are correct then
it is behaving normally. This means that you must click on the signature to
verify that it is from the right person. This actually makes some sense to
me. If we draw an analogy with a letter, the envelope itself is not signed.
You must look inside for the signature.

-GT
"Roberto Franceschetti" <roberto_remove_n.o.s.p.a.m_tag@logsat.com> wrote in
message news:oJ7Rd.51766$pc5.41622@tornado.tampabay.rr.com...
> This report is also available graphically at
> http://www.logsat.com/Signatures
>
> On 10/21/2004 the following vulnerability was reported to Microsoft:
>
> Security Flaw with Digital signatures in Microsoft Outlook -
> Emails in Microsoft Outlook digitally signed with S/MIME using either a
> commercial personal certificate like Verisign or using a certificate
> issued by MS Certificate Server can be altered. Outlook will not show any
> warnings
> about the email being changed, the digital signature will still be
> reported valid even though the message content has been modified and
> parties involved in the signatures changed.
> This is an extremely serious flaw as I can change any digitally signed
> emails I want without Outlook ever noticing.
> After several emails with Microsoft and CERT during the months that
> followed, no fixes have been issued to correct this security flaw. It is
> only now that I am making this information public after all my attempts to
> have Microsoft resolve the problem have failed.
>
> The following are 3 digitally signed messages. The 1st one is a valid,
> unmodified email from Roberto Franceschetti (roberto at logsat.com) to
> support at logsat.com: (follow the hyperlinks for the email's source and
> screenshots)
>
> Screenshot at http://www.logsat.com/Signatures/Valid.gif
> Email's source at http://www.logsat.com/Signatures/Valid.msg
>
>
> The following one has been "hacked" so that the sender now appears to be
> "Hackers Franceschetti" (hackers@logsat.com). Note that Outlook states
> that the email is absolutely valid, and that the certificate is Valid and
> Trusted. This is most definitely not the case, as I've altered the
> original message to make it appear as a different person actually sent it.
> Imagine the scenario where a digital signature is supposed to
> unequivocally identify a sender, but now this email that appears to be
> sent by "hackers" appears legitimate, and a poor victim will trust it and
> send the hacker any confidential information he is asked for... (follow
> the hyperlinks for the email's source):
>
> Screenshot at http://www.logsat.com/Signatures/Hacked1.gif
> Email's source at http://www.logsat.com/Signatures/Hacked1.msg
>
>
> This 3rd email is yet another variation showing how a digitally signed
> email can further be forget without Outlook ever raising warning flags
> (follow the hyperlinks for the email's source):
>
> Screenshot at http://www.logsat.com/Signatures/Hacked2.gif
> Email's source at http://www.logsat.com/Signatures/Hacked2.msg
>
>
>
> The full emails with the conversations between myself, Microsoft and CERT
> can be found here (http://www.logsat.com/Signatures/emails.asp). I hope
> that by making this information public all the users who rely on digital
> signatures will be aware of this severe security flaw in Microsoft
> Outlook, and will take other precautions to ensure the identity of users
> in digitally signed emails they receive.
> Roberto Franceschetti
> LogSat Software
> roberto at sign logsat.com
>

Relevant Pages

  • Re: Security flaw in how Outlook verifies digital signatures
    ... On Sat, 19 Feb 2005 05:13:53 GMT, Roberto Franceschetti wrote: ... > I then alter the from in the email to make it appear from Microsoft. ... > certificate (if he had only used Mozilla or Outlook Express he'd see flags ...
    (microsoft.public.outlook)
  • Re: Security flaw in how Outlook verifies digital signatures
    ... and is replaced with a "Security Warning" notice indicating ... warning "Although the digital signature is valid, ... Which Outlook is not doing at all... ... Roberto Franceschetti ...
    (microsoft.public.outlook)
  • Re: Security Flaw with Digital Signatures in Outlook
    ... The RFCs simply provide technical rules on how to ensure that the ... All will be much clearer if you look at the help files for both Outlook ... one in the digital signature) and Outlook's documentation. ... message you are sending your certificate and public key. ...
    (microsoft.public.exchange.admin)
  • RE: Digitally signing an Access database .mde or .mdb
    ... Check the Microsoft Access help topic "Digital Signature" for details. ... If you are prompted with the dialog box "Security Warning: ... In the Digital Signature Details dialog box, click View Certificate. ...
    (microsoft.public.access.security)
  • Security flaw in how Outlook verifies digital signatures
    ... Security Flaw with Digital signatures in Microsoft Outlook - ... no fixes have been issued to correct this security flaw. ... the scenario where a digital signature is supposed to unequivocally identify ...
    (microsoft.public.outlook)