Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
(Microsoft Issues Bulletin) Re: Microsoft Internet Explorer Does Not Check for Revoked Digital Certificates (Two Fraudlent Certificates Are Known to Exist)
SecurityTracker Alert ID: 1001146|
SecurityTracker URL: http://securitytracker.com/id/1001146
(Links to External Site)
Date: Mar 23 2001
Execution of arbitrary code via network|
Vendor Confirmed: Yes |
CERT has issued and advisory (CA-2001-04) indicating that two unauthentic digital certificates have been issued by VeriSign that were improperly registered to "Microsoft Corporation". These certificates have since been revoked, but Microsoft Internet Explorer does not check to see if certificates have been revoked and will assume that the bogus certificates are valid.|
On January 29 and 30, 2001, VeriSign, Inc. issued two certificates to an individual fraudulently claiming to be an employee of Microsoft Corporation. Any code that is signed by these bogus certificates will appear to be legitimately signed by Microsoft when, in fact, it is not.
See the related Microsoft bulletin:
See the related VeriSign bulletin:
A user of Internet Explorer (or other software that relies on digital certificates) could be deceived into trusting the bogus certificates, because they appear to be from Microsoft. Once the bogus certificates have been accepted, this may allow an attacker to execute malicious code on the user's system.
The digital certificates were issued in error by VeriSign after VeriSign failed to correctly authenticate the recipient of a certificate.
Internet Explorer does not check for certificate revocations automatically, so even though these bogus certificates have been revoked, the IE browser will not be aware of their revoked status.
A user of Internet Explorer (or other software that relies on digital certificates) could be deceived into trusting two bogus certificates that have been improperly issued, because the certificates appear to be from Microsoft. Once the bogus certificates have been accepted, this may allow an attacker to execute malicious code on the user's system.|
No solution was available at the time of this entry. Microsoft intends to release an update to Internet Explorer that will check a certificates revocation status before accepting the certificate as valid.|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS01-017.asp (Links to External Site)
MacOS, Windows (Any)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Thu, 22 Mar 2001 07:42:00 -0800|
Subject: Microsoft Security Bulletin MS01-017
The following is a Security Bulletin from the Microsoft Product Security
Please do not reply to this message, as it was sent from an unattended
-----BEGIN PGP SIGNED MESSAGE-----
Title: Erroneous VeriSign-Issued Digital Certificates Pose
Date: 22 March 2001
Software: All Microsoft customers should read the bulletin.
Impact: Attacker could digitally sign code using the name
Microsoft encourages customers to review the Security Bulletin at:
VeriSign, Inc., recently advised Microsoft that on January 30 and 31,
2001, it issued two VeriSign Class 3 code-signing digital
certificates to an individual who fraudulently claimed to be a
Microsoft employee. The common name assigned to both certificates is
"Microsoft Corporation". The ability to sign executable content using
keys that purport to belong to Microsoft would clearly be
advantageous to an attacker who wished to convince users to allow the
content to run.
The certificates could be used to sign programs, ActiveX controls,
Office macros, and other executable content. Of these, signed ActiveX
controls and Office macros would pose the greatest risk, because the
attack scenarios involving them would be the most straightforward.
Both ActiveX controls and Word documents can be delivered via either
web pages or HTML mails. ActiveX controls can be automatically
invoked via script, and Word documents can be automatically opened
via script unless the user has applied the Office Document Open
However, even though the certificates say they are owned by
Microsoft, they are not bona fide Microsoft certificates, and content
signed by them would not be trusted by default. Trust is defined on a
certificate-by-certificate basis, rather than on the basis of the
common name. As a result, a warning dialogue would be displayed
before any of the signed content could be executed, even if the user
had previously agreed to trust other certificates with the common
name "Microsoft Corporation". The danger, of course, is that even a
security-conscious user might agree to let the content execute, and
might agree to always trust the bogus certificates.
VeriSign has revoked the certificates, and they are listed in
VeriSign's current Certificate Revocation List (CRL). However,
because VeriSign's code-signing certificates do not specify a CRL
Distribution Point (CDP), it is not possible for any browser's
CRL-checking mechanism to download the VeriSign CRL and use it.
Microsoft is developing an update that rectifies this problem. The
update package includes a CRL containing the two certificates, and an
installable revocation handler that consults the CRL on the local
machine, rather than attempting to use the CDP mechanism.
Versions of the update are being prepared for all Microsoft platforms
released since 1995. However, because of the large number of
platforms that must be tested, the patches are not available at this
writing. Until the update is available, we urge customers to take
some or all of the following steps to protect themselves should they
encounter hostile code signed by one of the certificates.
- Visually inspect the certificates cited in all warning
dialogues. The two certificates at issue here were issued
on 29 and 30 January 2001, respectively. No bona fide
Microsoft certificates were issued on these dates. The
FAQ and Knowledge Base article Q293817 provide complete
details regarding both certificates.
- Install the Outlook Email Security Update
to prevent mail-borne programs from being launched, even via
signed components, and install the Office Document Open
to force web pages to request permission before opening Office
- Consider temporarily removing the VeriSign Commercial Software
Publishers CA certificate from the Trusted Root Store. Knowledge
Base article Q293819 provides details on how to do this.
- The certificates are not trusted by default. As a result,
neither code nor ActiveX controls could be made to run without
displaying a warning dialogue. By viewing the certificate in
such dialogues, users can easily recognize the certificates.
- The certificates are not the bona fide Microsoft code-signing
certificates. Content signed by those keys can be distinguished
from bona fide Microsoft content.
- A software update is under development and will be released
shortly. When it is available, we will update this bulletin
to provide information on how to obtain and use it.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
-----END PGP SIGNATURE-----
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.
To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/technet/security/notify.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
Go to the Top of This SecurityTracker Archive Page