-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

    ESB-2001.128 -- Microsoft Security Bulletin MS01-017 (version 2.0)
    Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard
                               29 March 2001

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Impact:                 Reduced Security
                        Provide Misleading Information
Access Required:        Remote

Ref:                    AL-2001.04

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

- - ---------------------------------------------------------------------
- - -
Title:      Erroneous VeriSign-Issued Digital Certificates Pose 
            Spoofing Hazard
Released:   22 March 2001
Revised:    28 March 2001 (version 2.0)
Software:   All Microsoft operating systems
Impact:     Attacker could digitally sign code using the name
            "Microsoft Corporation".
Bulletin:   MS01-017

Microsoft encourages customers to review the Security Bulletin 
at: http://www.microsoft.com/technet/security/bulletin/MS01-017.asp.
- - ---------------------------------------------------------------------
- - -

Reason for Revision:
====================
The software update discussed in the original version of the bulletin
is now available.

Issue:
======
In mid-March 2001, VeriSign, Inc., advised Microsoft that on January 
29 and 30, 2001, it issued two VeriSign Class 3 code-signing digital 
certificates to an individual who fraudulently claimed to be a 
Microsoft employee. The common name assigned to both certificates is 
"Microsoft Corporation". The ability to sign executable content using
keys that purport to belong to Microsoft would clearly be 
advantageous to an attacker who wished to convince users to allow the
content to run. 

The certificates could be used to sign programs, ActiveX controls, 
Office macros, and other executable content. Of these, signed ActiveX
controls and Office macros would pose the greatest risk, because the 
attack scenarios involving them would be the most straightforward. 
Both ActiveX controls and Word documents can be delivered via either 
web pages or HTML mails. ActiveX controls can be automatically 
invoked via script, and Word documents can be automatically opened 
via script unless the user has applied the Office Document Open 
Confirmation Tool. 

Even though the certificates say they are owned by Microsoft, they 
are not bona fide Microsoft certificates, and content signed by them 
would not be trusted by default. Trust is defined on a certificate-
by-certificate basis, rather than on the basis of the common name. As
a result, a warning dialogue would be displayed before any of the 
signed content could be executed, even if the user had previously 
agreed to trust other certificates with the common name "Microsoft 
Corporation". The danger, of course, is that even a security-
conscious user might agree to let the content execute, and might 
agree to always trust the bogus certificates. 

VeriSign has revoked the certificates, and they are listed in 
VeriSign's current Certificate Revocation List (CRL). However, 
because VeriSign's code-signing certificates do not specify a CRL 
Distribution Point (CDP), it is not possible for any browser's CRL-
checking mechanism to locate and use the VeriSign CRL. Microsoft has 
developed an update that rectifies this problem. The update package 
includes a CRL containing the two certificates, and an installable 
revocation handler that consults the CRL on the local machine, rather
than attempting to use the CDP mechanism. 

Customers should take notice of the caveats listed below in the 
section titled "Additional information about this patch", and in 
particular should note that the update will need to be re-installed 
when upgrading to any currently-available version of Windows or 
Internet Explorer. Versions of Windows beginning with Windows XP Gold
and Windows 2000 Service Pack 2, and versions of Internet Explorer 
beginning with IE 6 will not require the update to be re-installed. 

Customers who do not wish to install the update should take the 
following steps to protect themselves in the event that they 
encounter hostile code signed by one of the certificates: 
 - Visually inspect the certificates cited in all warning 
   dialogues. The two certificates at issue here were issued on 
   29 and 30 January 2001, respectively. No bona fide Microsoft 
   certificates were issued on these dates. The FAQ and Knowledge 
   Base article Q293817 provide complete details regarding both 
   certificates. 
 - Install the Outlook Email Security Update 
   (http://www.officeupdate.com/2000/downloadDetails/Out2ksec.htm)
   to prevent mail-borne programs from being launched, even via 
   signed components, and install the Office Document Open 
   Confirmation Tool 
   (http://officeupdate.microsoft.com/downloadDetails/confirm.htm)
   to force web pages to request permission before opening Office 
   documents. 

Mitigating Factors:
====================
 - The certificates are not trusted by default. As a result, 
   neither programs nor ActiveX controls could be made to run 
   without displaying a warning dialogue. By viewing the 
   certificate in such dialogues, users can easily recognize 
   the certificates. 
 - The certificates are not the bona fide Microsoft code-signing 
   certificates. Content signed by those keys can be distinguished 
   from bona fide Microsoft content. 

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read 
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-017.asp
   for information on obtaining this patch.

- - ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED 
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY 
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.



- -----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOsKSq40ZSRQxA/UrAQH1Fgf/cCCX2BadVfwic8mFKOVZy2vMTa+dKxLa
aSxO4qUuhZHMj0/uhbSzEZEtlvnnzFisDVhxrrVmUBOR1DbSbX3qHC3SOmCwEjbN
Gi1vei7HgCTEKSStTyElCarbGDudVRLQsP7CC0O7dCOQ6gApaRrXqYcLqhJVfwIM
O7+yubtDtv+InM7u/eex3gRqHHJJE2jCi+wEAAGqHBT/esvLYkxTM4+4x7mScsHn
P+VTACmj0Qc3NK3DwvIVOohpR1k6qIPJijvmoFnAti7yWuld4McUI4IBxHb8NFo1
E7bX7JXyZBrY5sx//o67pFjegISJlY6bD3iMZN0K+MGz/9sTIqjFLA==
=765Q
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOsNHRCh9+71yA2DNAQFYrwQAhWIe2OH9SU/D/E8rjcOgxrJKT9qx2LLj
tweBP95DVB9M+H/C+v6c5JDCzS9YO7hnobcgbd+a7+dx3X6kaf1aa2DOm1qqNEy3
2SeKLLW7Q1+enDPV1LMgFW06QdPH0KCGaEgUpROGUtuVLRUj0q7jlVLmc9YQoXYG
7Vv/iRN0llg=
=ttZP
-----END PGP SIGNATURE-----