[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[atlarge-discuss] the bozos at verisign did it again

To: "atlarge discuss list" <atlarge-discuss@lists.fitug.de>
Subject: [atlarge-discuss] the bozos at verisign did it again
From: "Micheal Sherrill" <micheal@beethoven.com>
Date: Mon, 7 Apr 2003 23:57:16 -0400
Delivered-to: mailing list atlarge-discuss@lists.fitug.de
List-help: <mailto:atlarge-discuss-help@lists.fitug.de>
List-post: <mailto:atlarge-discuss@lists.fitug.de>
List-subscribe: <mailto:atlarge-discuss-subscribe@lists.fitug.de>
List-unsubscribe: <mailto:atlarge-discuss-unsubscribe@lists.fitug.de>
Mailing-list: contact atlarge-discuss-help@lists.fitug.de; run by ezmlm
Reply-to: <micheal@beethoven.com>

>From a Microsoft document displayed at http://www.windowsecurity.com/mssecure.asp?ProductID=6

MS01-017 : Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard
(Date Posted - 2001/03/22, Date Revised - 2001/03/28)
VeriSign, Inc., recently advised Microsoft that on January 29 and 30, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is ?Microsoft Corporation?. The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run. The certificates could be used to sign programs, ActiveX controls, Office macros, and other executable content. Of these, signed ActiveX controls and Office macros would pose the greatest risk, because the attack scenarios involving them would be the most straightforward. Both ActiveX controls and Word documents can be delivered via either web pages or HTML mails. ActiveX controls can be automatically invoked via script, and Word documents can be automatically opened via script unless the user has applied the !
Office Document Open Confirmation Tool. However, even though the certificates say they are owned by Microsoft, they are not bona fide Microsoft certificates, and content signed by them would not be trusted by default. Trust is defined on a certificate-by-certificate basis, rather than on the basis of the common name. As a result, a warning dialogue would be displayed before any of the signed content could be executed, even if the user had previously agreed to trust other certificates with the common name ?Microsoft Corporation?. The danger, of course, is that even a security-conscious user might agree to let the content execute, and might agree to always trust the bogus certificates. VeriSign has revoked the certificates, and they are listed in VeriSign?s current Certificate Revocation List (CRL). However, because VeriSign?s code-signing certificates do not specify a CRL Distribution Point (CDP), it is not possible for any browser?s CRL-checking mechanism to download the Ve!
riSign CRL and use it. Microsoft is developing an update that rectifie
s this problem. The update package includes a CRL containing the two certificates, and an installable revocation handler that consults the CRL on the local machine, rather than attempting to use the CDP mechanism.

*************************************************
Listen to the "World's Classical Radio Station"
http://www.beethoven.com
Great Music, Free Email, Exciting Bulletin Board!

---------------------------------------------------------------------
To unsubscribe, e-mail: atlarge-discuss-unsubscribe@lists.fitug.de
For additional commands, e-mail: atlarge-discuss-help@lists.fitug.de

Prev by Date: [atlarge-discuss] RE: Election Management
Next by Date: [atlarge-discuss] RE: Election Management
Previous by thread: [atlarge-discuss] RE: Polling questions
Next by thread: [atlarge-discuss] polling and elections
Index(es):
- Date
- Thread