Fw: Alert: Microsoft Security Bulletin MS01-017

Nexus nexus at patrol.i-way.co.uk
Thu, 22 Mar 2001 21:58:09 -0000 

For another take on the matter :

Regards,
            JJ

----- Original Message -----
From: "Russ" <Russ.Cooper@RC.ON.CA>
To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Sent: Thursday, March 22, 2001 8:29 PM
Subject: Alert: Microsoft Security Bulletin MS01-017


> Hmm, this one is going to take a bit to properly format in my usual
Surgeon
> General's warning format. Since there's no patch currently available, I
> wanted to just give you a heads up quickly.
>
> According to Microsoft...(using my own words, not Microsoft's)
>
> Verisign has royally screwed up. Verisign managed to issue a Class 3
Digital
> Certificate, a Certificate which is used for code-signing of things like
> ActiveX controls, Macros, applications, etc... to someone who purported to
> be from Microsoft Corporation. Problem is, that individual was not from
> Microsoft at all.
>
> Such Certificates, when presented to our systems, cause our systems to
> prompt us with a dialog explaining the risks and benefits of Digital
> Certificates. This one will appear to be signed by Microsoft Corporation
and
> vouched for by Verisign. It will bear the date of January 30 and/or
January
> 31, 2001 if you view the details of the supplied Certificate.
>
> Despite the fact that its a Microsoft Certificate (for all intents and
> purposes it appears as such), it WILL NOT automatically be trusted by
> anyone's system. Even if you have previously stated that you want to trust
> all signed software from Microsoft, the fact that this one is a
*different*
> Microsoft Certificate means you will still be prompted to trust it.
>
> That's a good thing(tm).
>
> The fact that unless you actually check the date on the Certificate you
> won't know whether or not its one you can trust is a Bad Thing(tm), as
> obviously not everyone (read: next to nobody) is going to check every
> Certificate they get presented with.
>
> You gotta wonder how Verisign's issuance mechanism could be so poorly
> designed and/or implemented to let something like this happen.
>
> Meanwhile, Microsoft are working on a patch which will stick its finger in
> this dam.
>
> Basically, Verisign Code-Signing Certificates do not employ a Certificate
> Revocation List (CRL) feature called CDP, or CRL Distribution Point, which
> causes the Certificate to be checked for revocation each time its read.
Even
> if you have CRL turned on in IE, Verisign Code-Signing Certificates aren't
> checked.
>
> Microsoft's update is going to shim in some mechanism which causes
some/all
> Code-Signing Certificates to check some local file/registry key for a CRL,
> which will (at least initially) contain the details of these Certificates.
> Assuming this works as advertised, any attempt to trust the mis-issued
> Certificates should fail.
>
> A sore point for me right now is the lack of info on the perpetrators.
We've
> currently got absolutely no information that we could use to help assess
the
> relative risk from these errant Certificates. There's no way to tell
whether
> we can expect to see hundreds of pieces of mal-signed code, or none. When
> the update is released, probably next week, assessing whether or not it
> should get onto every system in the world (MS is releasing an update that
> will patch every OS produced by them since 1995) immediately, or
> progressively over time.
>
> Without any additional knowledge, I'd start getting ready to
> administratively touching every system you are in contact with later next
> week.
>
> More info as it comes. Expect to see every media outlet run a story later
> today on this.
>
> The bulletin itself can be read at;
>
> http://www.microsoft.com/technet/security/bulletin/MS01-017.asp
>
> Cheers,
> Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
>
> --------------------------------------------------------------------------
--
> Delivery co-sponsored by BindView Corporation
>
============================================================================
> Are your security practices adequate enough to protect you from hackers
and
> crackers?  How do you provide remote access to your users, enable e-mail
> messaging, Internet sites and e-commerce activity, and at the same time
> maintain security?  Can you implement and administer the effective
security
> measures you need without doing battle with the people who need access to
> your network?
>
> Download FREE the latest Hurwitz Group Report, Management Controls:
> Security Impact of IT Administration at <http://www.bindview.com/hurwitz3>
> --------------------------------------------------------------------------
--
>