Subj : signed isn't signed To : All From : Geo. Date : Thu Mar 22 2001 07:40 am From: "Geo." Hmm, this one is going to take a bit to properly format in my usual Surgeon General's warning format. Since there's no patch currently available, I wanted to just give you a heads up quickly. According to Microsoft...(using my own words, not Microsoft's) Verisign has royally screwed up. Verisign managed to issue a Class 3 Digital Certificate, a Certificate which is used for code-signing of things like ActiveX controls, Macros, applications, etc... to someone who purported to be from Microsoft Corporation. Problem is, that individual was not from Microsoft at all. Such Certificates, when presented to our systems, cause our systems to prompt us with a dialog explaining the risks and benefits of Digital Certificates. This one will appear to be signed by Microsoft Corporation and vouched for by Verisign. It will bear the date of January 30 and/or January 31, 2001 if you view the details of the supplied Certificate. Despite the fact that its a Microsoft Certificate (for all intents and purposes it appears as such), it WILL NOT automatically be trusted by anyone's system. Even if you have previously stated that you want to trust all signed software from Microsoft, the fact that this one is a *different* Microsoft Certificate means you will still be prompted to trust it. That's a good thing(tm). The fact that unless you actually check the date on the Certificate you won't know whether or not its one you can trust is a Bad Thing(tm), as obviously not everyone (read: next to nobody) is going to check every Certificate they get presented with. You gotta wonder how Verisign's issuance mechanism could be so poorly designed and/or implemented to let something like this happen. Meanwhile, Microsoft are working on a patch which will stick its finger in this dam. Basically, Verisign Code-Signing Certificates do not employ a Certificate Revocation List (CRL) feature called CDP, or CRL Distribution Point, which causes the Certificate to be checked for revocation each time its read. Even if you have CRL turned on in IE, Verisign Code-Signing Certificates aren't checked. Microsoft's update is going to shim in some mechanism which causes some/all Code-Signing Certificates to check some local file/registry key for a CRL, which will (at least initially) contain the details of these Certificates. Assuming this works as advertised, any attempt to trust the mis-issued Certificates should fail. A sore point for me right now is the lack of info on the perpetrators. We've currently got absolutely no information that we could use to help assess the relative risk from these errant Certificates. There's no way to tell whether we can expect to see hundreds of pieces of mal-signed code, or none. When the update is released, probably next week, assessing whether or not it should get onto every system in the world (MS is releasing an update that will patch every OS produced by them since 1995) immediately, or progressively over time. Without any additional knowledge, I'd start getting ready to administratively touching every system you are in contact with later next week. More info as it comes. Expect to see every media outlet run a story later today on this. The bulletin itself can be read at; http://www.microsoft.com/technet/security/bulletin/MS01-017.asp Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor ---------------------------------------------------------------------------- Delivery co-sponsored by BindView Corporation ============================================================================ Are your security practices adequate enough to protect you from hackers and crackers? How do you provide remote access to your users, enable e-mail messaging, Internet sites and e-commerce activity, and at the same time maintain security? Can you implement and administer the effective security measures you need without doing battle with the people who need access to your network? Download FREE the latest Hurwitz Group Report, Management Controls: Security Impact of IT Administration at ---------------------------------------------------------------------------- --- BBBS/NT v4.00 MP * Origin: Barktopia Gating Project http://HarborWebs.com:8081 (1:379/45) .