(CIAC Issues Bulletin) Re: Microsoft Internet Explorer Does Not Check for Revoked Digital Certificates (Two Fraudlent Certificates Are Known to Exist)
|
|
SecurityTracker Alert ID: 1001145 |
|
SecurityTracker URL: http://securitytracker.com/id/1001145
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 23 2001
|
Impact:
Execution of arbitrary code via network
|
|
|
Description:
CERT has issued and advisory (CA-2001-04) indicating that two unauthentic digital certificates have been issued by VeriSign that were improperly registered to "Microsoft Corporation". These certificates have since been revoked, but Microsoft Internet Explorer does not check to see if certificates have been revoked and will assume that the bogus certificates are valid.
On January 29 and 30, 2001, VeriSign, Inc. issued two certificates to an individual fraudulently claiming to be an employee of Microsoft Corporation. Any code that is signed by these bogus certificates will appear to be legitimately signed by Microsoft when, in fact, it is not.
See the related Microsoft bulletin:
http://www.microsoft.com/technet/security/bulletin/MS01-017.asp
See the related VeriSign bulletin:
http://www.verisign.com/developer/notice/authenticode/index.html
A user of Internet Explorer (or other software that relies on digital certificates) could be deceived into trusting the bogus certificates, because they appear to be from Microsoft. Once the bogus certificates have been accepted, this may allow an attacker to execute malicious code on the user's system.
The digital certificates were issued in error by VeriSign after VeriSign failed to correctly authenticate the recipient of a certificate.
Internet Explorer does not check for certificate revocations automatically, so even though these bogus certificates have been revoked, the IE browser will not be aware of their revoked status.
|
Impact:
A user of Internet Explorer (or other software that relies on digital certificates) could be deceived into trusting two bogus certificates that have been improperly issued, because the certificates appear to be from Microsoft. Once the bogus certificates have been accepted, this may allow an attacker to execute malicious code on the user's system.
|
Solution:
No solution was available at the time of this entry. Microsoft intends to release an update to Internet Explorer that will check a certificates revocation status before accepting the certificate as valid.
|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS01-017.asp (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
MacOS, Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 22 Mar 2001 15:04:38 -0800 (PST)
Subject: CIAC Bulletin L-062: Erroneous Verisign-Issued Digital Certificates for Microsoft
|
[For Public Release]
-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Erroneous Verisign-Issued Digital Certificates for Microsoft
March 22, 2001 20:00 GMT Number L-062
______________________________________________________________________________
PROBLEM: Verisign erroneously issued two VeriSign Class 3 code-signing
digital certificates to an individual fraudulently claiming to
be a Microsoft employee. Both certificates use the name
"Microsoft Corporation".
PLATFORM: Microsoft Windows® 95
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows NT® 4.0
Microsoft Windows 2000
DAMAGE: Damage varys. Indirectly, if a sys admin or user believes
executable code to be from Microsoft, he/she will probably trust
it. Meanwhile, the attacker could provide "Microsoft
Corporation" signed executables that are really trojans or other
malicious code.
SOLUTION: Apply the workarounds provided below.
______________________________________________________________________________
VULNERABILITY MEDIUM. Much of this threat/vulnerability can be mitigated by
ASSESSMENT: verifying the Microsoft certificates, and checking the Verisign
revoked list before trusting Microsoft code, as described in
this bulletin.
______________________________________________________________________________
[****** Start Microsoft Advisory Here ******]
http://www.ciac.org/ciac/bulletins/l-062.shtml
[****** End Microsoft Advisory Here ******]
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBOrqEQbnzJzdsy3QZAQGCdQQAwGEakcY0nrHgHeyu/VP32W6E4EtjvLfO
639M1J7sNwylaKVOytisujBfjQb3NssMPguqvvJH1XES/6DYsUULZl+EHBRWOBxP
mEBYMcYH8IBFe4H07E5AoKAYQSrn7XDt/tbZJs8WaU2Hyo96HYSYHKketqnF/5Rq
9wnyOJwAvcc=
=rdKh
-----END PGP SIGNATURE-----
-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
This message was posted through the FIRST mailing list server. If you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-info" to first-majordomo@FIRST.ORG
-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
|
|
