Oh man... "fake" Microsoft Digital Certificates floating around...
-
Just received this technical bulletin... VeriSign, Inc., recently advised Microsoft that on January 30 and 31, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation". The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run. http://www.microsoft.com/technet/security/bulletin/MS01-017.asp Are we really ready for something like hailstorm? Wow. David
-
Just received this technical bulletin... VeriSign, Inc., recently advised Microsoft that on January 30 and 31, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation". The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run. http://www.microsoft.com/technet/security/bulletin/MS01-017.asp Are we really ready for something like hailstorm? Wow. David
How could that happen? If we can't trust on VeriSign, the who can we trust? In my opinion, it should be normal for a company like VeriSign to verify all requests they receive? Funny to see on MS Security Bulletin: Affected Software: Microsoft Windows® 95 Microsoft Windows 98 Microsoft Windows Me Microsoft Windows NT® 4.0 Microsoft Windows 2000 What's left? -- Alex Marbus www.marbus.net
-
Just received this technical bulletin... VeriSign, Inc., recently advised Microsoft that on January 30 and 31, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation". The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run. http://www.microsoft.com/technet/security/bulletin/MS01-017.asp Are we really ready for something like hailstorm? Wow. David
The two certificates were revoked, but: 1. because VeriSign’s code-signing certificates do not specify a CRL Distribution Point (CDP), it is not possible for any browser’s CRL-checking mechanism to download the VeriSign CRL and use it. 2. The update package includes a CRL containing the two certificates, and an installable revocation handler that consults the CRL on the local machine, rather than attempting to use the CDP mechanism. 1 & 2 above means that there is no way to tell that the certificates were revoked until you download the upcoming patch. Until then you should "manually" examine the certificates which sign a piece of code from Microsoft. 3. The Authenticode can use the TSA at Verisign to countersign the code when using this kind of certificates. This operation will fail now because Verisign knows that the certificates were revoked. However the timestamping/countersigning is not mandatory when signing the code. The strangest thing is that the warning dialog which pops up when you open a signed code does not complain about the missing timestamp, and you can't even see if there is a timestamp/countersignature at all. Wow indeed.
-
How could that happen? If we can't trust on VeriSign, the who can we trust? In my opinion, it should be normal for a company like VeriSign to verify all requests they receive? Funny to see on MS Security Bulletin: Affected Software: Microsoft Windows® 95 Microsoft Windows 98 Microsoft Windows Me Microsoft Windows NT® 4.0 Microsoft Windows 2000 What's left? -- Alex Marbus www.marbus.net
-
i think you forgot windows CE... ...and Microsoft Gif Animator. ;P - - - - - - - - - - - - - - - - - - Memory leaks is the price we pay \0 01234567890123456789012345678901234
I'm wondering why Internet explorer isn't identified as a product individually. It seems to me that it is the running of rogue activex controls that's the major concern... D
-
I'm wondering why Internet explorer isn't identified as a product individually. It seems to me that it is the running of rogue activex controls that's the major concern... D
IE on itself isn't the problem, those ActiveX controls are. Ofcourse it's cool to view any type of document (Word/xl/powerpoint/pdf etc) in your browser, but that also means you can't be sure about your security anymore; it's in the hands of third parties. Makes me wonder, is it possible to do something with a filesystem in a PDF (like deleting or renaming files?) -- Alex Marbus www.marbus.net