Security Flaw in Microsoft Outlook and Digital Signatures

Following are all the emails between Microsoft and myself that show the complete unwillingness on Microsoft's behalf to acknowledge and fix the problem reported to them.

The series of emails To/From Christopher, finally resulting in case 5608 after heated conversations.

A series of emails To/From Lennart, resulting in... nothing.

Hi Christopher, fair enough, I'll wait for Lennart.

Roberto

-----Original Message-----
From: Microsoft Security Response Center [mailto:secure@microsoft.com]
Sent: Friday, October 22, 2004 3:02 PM
To: roberto@logsat.com
Cc: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report [5608lw]

Hello Roberto,

I have opened case 5608 to further investigate this. The case owner,
Lennart, will get in touch with you as soon as he has more information.

Thanks,
Christopher, CISSP

-----Original Message-----
From: Roberto Franceschetti [mailto:roberto@logsat.com]
Sent: Friday 22 October 2004 11:53
To: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report

Hi Christopher,

This is inform the security response center that since my report is not
being recognized as a problem, and Microsoft firmly believes Outlook is
performing to specs, I have no other choice than to release the information
to CERT, SANS, AntiOnline and to relevant newsgroups. Companies that rely on
digital signatures need to understand the limitations and risks involved of
using them with Outlook,

My report will go out this weekend, but again if the issue is acknowledged
by Microsoft before that occurs, I'm more than willing to work with you to
wait while a patch is issued.

Roberto

________________________________

From: Roberto Franceschetti [mailto:roberto@logsat.com]
Sent: Thursday, October 21, 2004 10:58 PM
To: 'Microsoft Security Response Center'
Subject: RE: Security Vulnerability Report

================================
In other words, Outlook does not rely on the From
line as the signer, but uses the digital signature itself. Am I missing
what you are reporting here?
================================

Yes, you're missing what I'm reporting, and, pardon the bluntness, but
you're also missing how Outlook works.

As I mentioned in a previous email, the 1st forget email I sent I did not
forge the actual email itself as Outlook displays it. In the following email
to you I attached a second forged email (signed with a MS Certificate Server
certificate) that does show such a sample instead (simply mispelled my last
name in the email, Dranceschetti instead of Franceschetti in the sender -
roberto.dranceschetti@ocfl.net).

But since that was apparently too complex to understand, attached is yet
another forged copy of the Verisign-signed one that shows all the problems.
Contrary to what you stated, this email will show "Hackers Franceschetti
[hackers@logsat.com]" in the "From" section in Outlook, and if you
double-click on it, a dialog box with the same "impostor" pops up with the
details. In case this too is hard to understand, you'll find a screenshot as
well.

Now, I *have* modified the sender, in all forms possible. Outlook does not
see it. Now please refer to the section of the Outlook help file (link in
prev. email) that states that a digital signature:

"proves to the recipient that the message is from you and not from an
imposter"

I'd say that an email from hackers@logsat.com is an impostor, wouldn't you
say? So this *is* a big problem.

I'm honestly done with the explanations. Your bolded statement above is
clearly wrong, as you can see from the attached modified message (and
screenshots). that the From line is *not* taken from the certificate. I've
tried to help in making you understand the problem and the huge identity
theft it poses, but if you respond with the attitude "this is how it works,
it's right, and it's not going to change" I'm not going to waste more of my
time.

I've found what myself and many others see as a huge security hole in how
digital signatures are handled by Outlook. I've been very correct in letting
Microsoft know immediately about the problem, spending a considerable amonut
of time documenting it in detail for you to see. I've also spent time in
researching your statements and proving them wrong. Unless you forward all
this documentation to your superiors and I'm contacted by one of them, my
only choice will be to make all of this (including our conversations and
your responses - so much for thrustworthy computing....) public.

Roberto

-----Original Message-----
From: Microsoft Security Response Center [mailto:secure@microsoft.com
<mailto:secure@microsoft.com> ]
Sent: Thursday, October 21, 2004 9:44 PM
To: roberto@logsat.com
Cc: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report

I completely agree the digital signature should verify not only the
message contents, but also the signer. In the case of your forged
message from Roberto Somebody_Else [hackers@logsat.com], the digital
signature (a few lines down in the display, "Signed By") still shows
roberto@logsat.com. In other words, Outlook does not rely on the From
line as the signer, but uses the digital signature itself. Am I missing
what you are reporting here?

In terms of your application to submit electronic cases, you could just
write it to use the digital signer, not the message sender, as the
verified submitter.

What would be interesting (and a big problem) is if you can modify the
message and still have Outlook show a valid signature of the original
signer.

Thanks,
Christopher, CISSP

-----Original Message-----
From: Roberto Franceschetti [mailto:roberto@logsat.com
<mailto:roberto@logsat.com> ]
Sent: Thursday 21 October 2004 18:20
To: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report

Christopher,

The RFC2633 merely states what parts of the email S/MIME includes, and
as you correctly stated, it does not include the email's headers. That
is not the point. A digital signature in an email is supposed to verify,
along the validity of the S/MIME content, also the identity of the
sender. This is also made very clear in the Outlook help file
(http://office.microsoft.com/assistance/hfws.aspx?AssetID=HP052423541033
<http://office.microsoft.com/assistance/hfws.aspx?AssetID=HP052423541033>
&CTT=1&Origin=EC010230001033&QueryID=XUI66rUx90):

Digitally sign messages
Digitally signing a message applies your certificate (certificate: A
digital means of proving your identity. When you send a digitally signed
message you are sending your certificate and public key. Certificates
are issued by a certification authority, and like a driver's license,
can expire or be revoked.) (with the public key (public key: The key a
sender gives to a recipient so that the recipient can verify the
sender's signature and confirm that the message was not altered.
Recipients also use the public key to encrypt (lock) e-mail messages to
the sender.)) to the message. This proves to the recipient that the
message is from you and not from an imposter and that the message has
not been altered. Encrypting (encrypt: The process of converting plain,
readable text into cipher (scrambled) text. The sender uses the
recipient's public key to encrypt (lock) the e-mail message and
attachments.) a message is a separate process.

Please do not confuse what the S/MIME specifications are with the fact
that I can easily forge the identity of the parties in a digitally
signed email. This is clearly in violation of what a digital signature
is supposed to do (just refer to the bold in the help file above... and
note my signed hacker@logsat.com email address in the sample I sent,
clearly an imposter). And let's not forget that again, Outlook Express
(and other non-MS email clients) work just fine.

If you do not agree, we can always post this "non-security bug" to
newsgroups and see what the public thinks.

Roberto

-----Original Message-----
From: Microsoft Security Response Center [mailto:secure@microsoft.com
<mailto:secure@microsoft.com>
<mailto:secure@microsoft.com <mailto:secure@microsoft.com> > ]
Sent: Thursday, October 21, 2004 4:39 PM
To: roberto@logsat.com
Cc: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report

Hello Roberto,

Thank you for getting back to me. I have done some initial investigation
on your issue. According to
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3MsgSecG
<http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3MsgSecG>
<http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3MsgSec
G>
uide/7b378caa-58c5-495e-a703-8691766b8406.mspx, Outlook 2000 and greater
use S/MIME version 3. Section 3.1 of the S/MIME Version 3 Message
Specification RFC at http://ietf.org/rfc/rfc2633.txt?number=2633
<http://ietf.org/rfc/rfc2633.txt?number=2633>
<http://ietf.org/rfc/rfc2633.txt?number=2633
<http://ietf.org/rfc/rfc2633.txt?number=2633> > says,
"A MIME entity that is the whole message includes only the MIME headers
and MIME body, and does not include the RFC-822 headers."

Based on this, it seems to me Outlook conforms to the standard for
S/MIME in not including the Sender or From addresses as part of the
signed message. Does this answer your concern, or am I misunderstanding
your report?

Thanks,
Christopher, CISSP

-----Original Message-----
From: Roberto Franceschetti [mailto:roberto@logsat.com
<mailto:roberto@logsat.com>
<mailto:roberto@logsat.com <mailto:roberto@logsat.com> > ]
Sent: Thursday 21 October 2004 11:51
To: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report

Very well then, I guess we can use these emails as proof. FYI, please
note
that I also found the ftp security flaw in MS09-039, so I should not be
one
of the thousands who probably write you guys daily for nuances
(hopefully).

Attached are two emails signed with my Verisign digital certificate. One
is
original, unaltered. The other one I tampered with, altering the sender
to
make it look like some else. Outlook still treats it as absolutely
valid.
This of course is a rather big problem, being that digital signatures
are to
ensure that the original document is not altered by matching its hash
with
the one in the signature.

You can reach me on my cell at 407-925-**** for more info if I'm not at
the
office number.

I'd also request an acknoledgment when a fix will be ready (assuming I'm
not
making a huge mistake and this is a false alarm).

Roberto

-----Original Message-----
From: Microsoft Security Response Center [mailto:secure@microsoft.com
<mailto:secure@microsoft.com>
<mailto:secure@microsoft.com <mailto:secure@microsoft.com> > ]
Sent: Thursday, October 21, 2004 2:32 PM
To: Franceschetti, Roberto
Cc: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report

Hello again,

I will be able to provide you a case number and the name of the case
owner once I open it. However, I cannot open a case without knowing more
information about the suspected vulnerability. You can read more about
our policies and practices at
http://www.microsoft.com/technet/security/topics/policy/msrpracs.mspx
<http://www.microsoft.com/technet/security/topics/policy/msrpracs.mspx>
<http://www.microsoft.com/technet/security/topics/policy/msrpracs.mspx
<http://www.microsoft.com/technet/security/topics/policy/msrpracs.mspx> >
.

Thanks,
Christopher, CISSP

-----Original Message-----
From: Roberto.Franceschetti@ocfl.net
[mailto:Roberto.Franceschetti@ocfl.net
<mailto:Roberto.Franceschetti@ocfl.net>
<mailto:Roberto.Franceschetti@ocfl.net
<mailto:Roberto.Franceschetti@ocfl.net> > ]
Sent: Thursday 21 October 2004 11:26
To: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report

Hi Cristopher,

Due to the seriousness of the problem, please understand if I'll require
to be assigned a case number so I can refer to an entry in your
ticketing system should any future problems arise. Once that is done,
I'll be glad to walk you thru the steps to reproduce it.

Regards,

Roberto Franceschetti
Tel. 36-8509

-----Original Message-----
From: Microsoft Security Response Center [mailto:secure@microsoft.com
<mailto:secure@microsoft.com>
<mailto:secure@microsoft.com <mailto:secure@microsoft.com> > ]
Sent: Thursday, October 21, 2004 2:14 PM
To: Franceschetti, Roberto
Cc: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report

Hello Roberto,

Thanks for your note. Unfortunately, I am not able to reproduce the
issue without more information. Would you please tell me the exact steps
to reproduce the problem?

Thanks,
Christopher, CISSP

-----Original Message-----
Sent: Wednesday 20 October 2004 20:08
To: Microsoft Security Response Center
Subject: Security Vulnerability Report

CONTACT INFORMATION
May we contact you about this report?
Yes
Name: Roberto Franceschetti
Email: roberto.franceschetti@ocfl.net
Phone:
COMPUTER INFORMATION
Manufacturer and model of your computer:
Computer model is irrelevant

Have you installed any additional hardware on the system?
No

Have you installed any operating system security patches?
Yes
You've asked for them...

Update Name Status Date Source
Windows Media Player 10 Successful Tuesday, September 14, 2004 Windows
Update website
Microsoft .NET Framework version 1.1 Canceled Wednesday, August 18, 2004
Windows Update website
Security Update for Windows XP (KB839645) Successful Wednesday, July 28,
2004 Windows Update website
Security Update for DirectX 9.0 (KB839643) Successful Wednesday, July
28, 2004 Windows Update website
Security Update for Windows XP (KB841873) Successful Wednesday, July 28,
2004 Windows Update website
Update for Background Intelligent Transfer Service (BITS) 2.0 and
WinHTTP 5.1 (KB842773) Successful Wednesday, July 28, 2004 Windows
Update website
Security Update for Windows XP (KB840315) Successful Wednesday, July 28,
2004 Windows Update website
Critical Update for ADODB.stream (KB870669) Successful Wednesday, July
28, 2004 Windows Update website
Cumulative Security Update for Outlook Express 6 SP1 (KB823353)
Successful Wednesday, July 28, 2004 Windows Update website
Security Update for Windows XP (KB828741) Successful Wednesday, June 23,
2004 Windows Update website
Security Update for Windows XP (KB840374) Successful Wednesday, June 23,
2004 Windows Update website
Q811114: Security Update (Windows XP or Windows XP Service Pack 1)
Successful Wednesday, June 23, 2004 Windows Update website
Update for Windows XP Shop for Music Online Link (KB833998) Successful
Saturday, May 01, 2004 Windows Update website
Update for Windows Media Player 9 Series (KB837272) Successful Saturday,
May 01, 2004 Windows Update website
Security Update for Windows XP (KB835732) Successful Saturday, May 01,
2004 Windows Update website
Security Update for Windows XP (KB828741) Successful Saturday, May 01,
2004 Windows Update website
Security Update for Windows XP (KB837001) Successful Saturday, May 01,
2004 Windows Update website
Critical Update for Internet Explorer 6 Service Pack 1 (KB831167)
Successful Saturday, May 01, 2004 Windows Update website
Cumulative Security Update for Outlook Express 6 Service Pack 1
(KB837009)
Successful Saturday, May 01, 2004 Windows Update website
Security Update for Windows XP (KB828028) Successful Tuesday, February
10, 2004 Windows Update website
Security Update for Microsoft Data Access Components (KB832483)
Successful Tuesday, February 10, 2004 Windows Update website
Cumulative Security Update for Internet Explorer 6 Service Pack 1
(KB832894)
Successful Tuesday, February 10, 2004 Windows Update website
Update for Microsoft Windows XP (KB826942) Successful Tuesday, December
30, 2003 Windows Update website
Update for Windows XP HighMAT Support in CD Writing Wizard
(KB831240) Successful Tuesday, December 30, 2003 Windows Update website
Update for Microsoft Windows XP (KB826942) Successful Tuesday, December
30, 2003 Windows Update website
Update for Windows XP HighMAT Support in CD Writing Wizard
(KB831240) Successful Tuesday, December 30, 2003 Windows Update website
Security Update for Windows XP (KB810217) Successful Friday, November
21, 2003 Windows Update website
Security Update for Microsoft Windows (KB824141) Successful Friday,
November 21, 2003 Windows Update website
Security Update for Microsoft Windows (KB823182) Successful Friday,
November 21, 2003 Windows Update website
Security Update for Microsoft Windows XP (KB825119) Successful Friday,
November 21, 2003 Windows Update website
Security Update for Microsoft Windows XP (KB828035) Successful Friday,
November 21, 2003 Windows Update website
Cumulative Security Update for Internet Explorer 6 SP1 (KB824145)
Successful Friday, November 21, 2003 Windows Update website
Update for Windows Media Player Script Commands (KB828026) Successful
Thursday, October 09, 2003 Windows Update website
Page 1 of 3
10/20/2004 http://v5.windowsupdate.microsoft.com/v5consumer/blank.aspx
<http://v5.windowsupdate.microsoft.com/v5consumer/blank.aspx>
<http://v5.windowsupdate.microsoft.com/v5consumer/blank.aspx
<http://v5.windowsupdate.microsoft.com/v5consumer/blank.aspx> >
October 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1
(KB828750) Successful Thursday, October 09, 2003 Windows Update website
PCtel modem software update released on June 13 2003. Successful
Wednesday, September 24, 2003 Windows Update website
Recommended Update for Windows XP SP1 (KB822603) Successful Wednesday,
September 24, 2003 Windows Update website
Microsoft .NET Framework Service Pack 2, English Version Successful
Monday, September 22, 2003 Windows Update website
Sierra Wireless Inc Multifunction Driver Version 1.1.0.3 Failed
Thursday, September 11, 2003 Device Manager
Flaw In Windows Media Player May Allow Media Library Access (819639)
Successful Wednesday, September 10, 2003 Windows Update website
Security Update for Microsoft Windows (KB824105) Successful Wednesday,
September 10, 2003 Windows Update website
Security Update for Windows XP (KB824146) Successful Wednesday,
September 10, 2003 Windows Update website
DirectX 9.0b End -User Runtime Successful Monday, September 01, 2003
Windows Update website
Windows MovieMaker 2 Successful Friday, August 22, 2003 Windows Update
website
Windows Error Reporting: Recommended Update (Windows XP) Successful
Friday, August 22, 2003 Windows Update website
Q282010: Recommended Update for Microsoft Jet 4.0 Service Pack 7 (SP7)
- Windows XP
Successful Friday, August 22, 2003 Windows Update website
814995: Recommended Update Successful Friday, August 22, 2003 Windows
Update website
Recommended Update for Windows XP SP1 (817778) Successful Friday, August
22, 2003 Windows Update website
Security Update for Microsoft Data Access Components (823718) Successful
Friday, August 22, 2003 Windows Update website
August 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1
(822925)
Successful Friday, August 22, 2003 Windows Update website
Q811114: Security Update (Windows XP or Windows XP Service Pack 1)
Successful Monday, August 18, 2003 Windows Update website
329170: Security Update Successful Monday, August 18, 2003 Windows
Update website
811630: Critical Update (Windows XP) Successful Monday, August 18, 2003
Windows Update website
Q323255: Security Update (Windows XP) Successful Monday, August 18, 2003
Windows Update website
814078: Security Update (Microsoft Jscript version 5.6, Windows 2000,
Windows XP) Successful Monday, August 18, 2003 Windows Update website
817787: Security Update Windows Media Player for XP Successful Monday,
August 18, 2003 Windows Update website
817606: Security Update (Windows XP) Successful Monday, August 18, 2003
Windows Update website
Security Update for Windows XP (819696) Successful Monday, August 18,
2003 Windows Update website
823559: Security Update for Microsoft Windows Successful Monday, August
18, 2003 Windows Update website
MS03-026: Security Update for Windows XP (823980) Successful Monday,
August 18, 2003 Windows Update website
810577: Security Update Successful Monday, August 18, 2003 Windows
Update website
810833: Security Update (Windows XP) Successful Monday, August 18, 2003
Windows Update website
810565: Critical Update Successful Monday, August 18, 2003 Windows
Update website
328310: Security Update Successful Monday, August 18, 2003 Windows
Update website
Q329115: Security Update (Windows XP) Successful Monday, August 18, 2003
Windows Update website
Q329390: Security Update Successful Monday, August 18, 2003 Windows
Update website
Security Update for Windows XP (329834) Successful Monday, August 18,
2003 Windows Update website
814033: Critical Update Successful Monday, August 18, 2003 Windows
Update website
Q329441: Critical Update Successful Monday, August 18, 2003 Windows
Update website
Page 2 of 3
10/20/2004 http://v5.windowsupdate.microsoft.com/v5consumer/blank.aspx
<http://v5.windowsupdate.microsoft.com/v5consumer/blank.aspx>
<http://v5.windowsupdate.microsoft.com/v5consumer/blank.aspx
<http://v5.windowsupdate.microsoft.com/v5consumer/blank.aspx> >
Security Update for Windows XP (815021) Successful Monday, August 18,
2003 Windows Update website
816093: Security Update Microsoft Virtual Machine (Microsoft VM)
Successful Monday, August 18, 2003 Windows Update website
Q817287: Critical Update (Catalog Database Corruption in Microsoft
Windows XP) Successful Monday, August 18, 2003 Windows Update website
811493: Security Update (Windows XP) Successful Monday, August 18, 2003
Windows Update website
821557: Security Update (Windows XP) Successful Monday, August 18, 2003
Windows Update website
330994: April 2003, Security Update for Outlook Express 6 SP1 Successful
Monday, August 18, 2003 Windows Update website
818529: June 2003, Cumulative Patch for Internet Explorer 6 Service Pack
1
Successful Monday, August 18, 2003 Windows Update website
Page 3 of 3
10/20/2004 http://v5.windowsupdate.microsoft.com/v5consumer/blank.aspx
<http://v5.windowsupdate.microsoft.com/v5consumer/blank.aspx>
<http://v5.windowsupdate.microsoft.com/v5consumer/blank.aspx
<http://v5.windowsupdate.microsoft.com/v5consumer/blank.aspx> >

AFFECTED PRODUCT

What product are you reporting a security vulnerability in?
Product Name:
MIcrosoft Outlook 2003
Product Version:
11.6359.6360

Have you installed any service packs for the product?:
Yes
SP1

Have you installed any security patches for the product?:
Yes
Installed updates for your Office 2003 products
Visio 2003 Update: KB831925

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
This update addresses a problem where Visio 2003 overwrites some
registry settings for msxml2.dll and msxml3.dll. The problem may prevent
applications utilizing these files from running properly.
More information...

Office 2003 Service Pack 1 - English version

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
Office 2003 Service Pack 1 (SP1) provides the latest updates to
Microsoft Office 2003. SP1 contains significant security enhancements,
in addition to stability and performance improvements. This download
applies to the following Office 2003 products: Access 2003, Access 2003
Runtime, Excel 2003, FrontPage 2003, Outlook 2003, PowerPoint 2003,
Publisher 2003, Word 2003, Office 2003 Web Components and Office XP Web
Components. SP1 also includes many performance and feature enhancements
for InfoPath 2003.
More information...

Visio 2003 Service Pack 1 - English version

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
Visio 2003 Service Pack 1 provides the latest updates to Microsoft
Office Visio 2003. Service Pack 1 (SP1) contains significant security
enhancements as well as stability and performance improvements. Some of
the fixes included with SP1 have been previously released as separate
updates. This service pack combines them into one update.
More information...

Update for Outlook 2003: Junk E-mail Filter (KB870765)

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
This optional update provides the Junk E-mail Filter in Microsoft Office
Outlook 2003 with a more current definition of the e-mail messages that
should be considered junk e-mail. This update was released in September
2004.
More information...

Installed updates for your Office XP products

Installed updates for your Office 2000 products
Office 2000 Service Release 1a - English version

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
Office 2000 Service Release 1a provides important product updates to
Office 2000. The Service Release is designed to install over the Web and
you first download a small setup program that determines the update file
set that needs to be downloaded. The typical update file set required is
approximately 26 MB. Last modified date: 12-May-2000
More information...

Outlook 2000 SR-1 View Control Security Update

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
This update helps prevent the Outlook View Control from being invoked by
scripting or Hypertext Markup Language (HTML) code on a Web page
potentially controlled by someone with malicious intent. Last modified
date: 16-August-2001.
More information...

Office 2000 Security Update: UA Control Vulnerability

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
The Office 2000 UA Control Update helps eliminate a security
vulnerability in the Microsoft Office 2000 suite of products. Since the
existing control could allow potential damaging actions by malicious
hackers, Microsoft recommends that all Office 2000 users install this
update. Last modified date: 12-May-2000.
More information...

Office 2000 Service Pack 3 - English version

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
Office 2000 Service Pack 3 (SP-3) provides the latest updates to
Microsoft Office 2000 and contains significant security enhancements as
well as stability and performance improvements. SP-3 updates the
following Office applications: Word 2000 SR-1, Excel 2000 SR-1, Outlook
2000 SR-1, PowerPoint 2000 SR-1, Access 2000 SR-1, FrontPage 2000 SR-1,
Publisher 2000 SR-1. Note that Office 2000 SP-3 includes the Outlook
2000 SR-1 Extended E-mail Security Update, but with increased
customization capabilities.
More information...

Office 2000 Security Patch: KB822035

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
The Office 2000 Security Patch: KB822035 offers the highest levels of
stability and security available for Microsoft Office 2000. This update
is part of Microsoft's continued effort to provide the latest product
updates to customers.
More information...

Word 2000 Security Patch: KB830347

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
This update addresses a flaw when opening a document containing certain
data values (the names of macros in the document) in Microsoft Word.
This flaw could allow arbitrary code to run when Word tries to open a
document containing maliciously crafted values. This update resolves
this vulnerability so that files containing these values are handled
appropriately.
More information...

Word 2000 Security Patch: KB824936

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
The Word 2000 Security Patch: KB824936 offers the highest levels of
stability and security available for Microsoft Word 2000. This update
is part of Microsoft's continued effort to provide the latest product
updates to customers.
More information...

Excel 2000 Security Patch: KB830349

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
Under certain scenarios it is possible for an Excel file to be modified
in such a way that a macro consisting of Excel 4.0 Macro Language (XLM)
commands could run with no warning issued. This update resolves that
vulnerability so that the appropriate macro blocking or warnings are
triggered.
More information...

Outlook 2000 Update: December 18, 2002 - English version

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
The Outlook 2000 Update: December 18, 2002 offers you the highest levels
of stability and security available for Microsoft Outlook 2000. This
update is part of Microsoft's continued effort to provide the latest
product updates to customers.
More information...

Office 2000 WordPerfect 5.x Converter Security Patch: KB824993 -
English version

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
This update provides you with the latest version of the Microsoft Office
2000 WordPerfect 5.x Converter and offers the highest levels of
stability and security available for the Office 2000 WordPerfect 5.x
Converter.
More information...

Access 2000 Snapshot Viewer Security Patch: KB826292 - English
version

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
This update provides you with the latest version of the Microsoft Access
2000 Snapshot Viewer and offers the highest levels of stability and
security available for the Access 2000 Snapshot Viewer.
More information...

Security Update for Office 2000: WordPerfect 5.x Converter (KB873380)
- English version

0 KB / Already Downloaded
0 KB / Download Time = 0 min at your connection speed
A vulnerability could allow arbitrary code to run when the system uses
the converter to open a maliciously crafted document. The update
resolves this vulnerability so that the files that the converter opens
are handled appropriately.

VULNERABLITY INFORMATION

Please describe the flaw in the product:
Digital signatures -
Emails in Outlook signed with S/MIME using either a commercial personal
certificate with Verisign or using a certificate issued by MS
Certificate Server can be altered. Outlook will not show any warnings
about the email being changed, the digital signature will still be
reported valid even though the message content has been modified and
parties involved in the signatures changed.
This is an extremely serious flaw as I can change any digitally signed
emails I want without Outlook ever noticing.
FYI - Outlook Express does not have this flaw.
Please contact me immediately, as I work with Orange County Govt., and
we discovered this huge problem while investigating the feasibility of
using digital signatures in the filing of electronic cases online. This
is definetly a showstopper.

Is the flaw present in the product in the default configuration?
Don't Know

Please tell us how to duplicate the problem in our laboratory:
I will only discuss this after being assinged a case number and spoke
with a live person.

Please describe how someone might mount an attack via the flaw:

Having access to email files, digitally signed emails are changed to
altered their content.

Please describe what the result of a successful attack would be:

Changing a digitally signed email without invalidating the signature.

Please provide any additional information that might be helpful in
investigating this issue:

My contact info is:

Roberto Franceschetti
roberto@logsat.com / roberto.franceschetti@ocfl.net
tel. 407-836-****

Hi Lennart,

While I'm deeply convinced that trying to please customers that really do
not understand the implication of their requests has de-facto invalidated
the reliability of using digital signatures with Outlook, your request to
ask for a second opinion from CERT is very reasonable. Yes, I'll be happy to
discuss this matter with you and them.

Roberto

-----Original Message-----
From: Microsoft Security Response Center [mailto:secure@microsoft.com]
Sent: Thursday, November 04, 2004 9:11 PM
To: roberto@logsat.com
Cc: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report [5608lw]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Roberto,

I have had a long discussion with the product team about this and we
will look into possible ways to clarify both the design and intent of
signing email. I cannot commit to a time line or shipping mechanism
but some possible changes to the UI is being considered.
However, the feature is working as intended and, in fact, it is made
this way in no small part based on customer requests. I believe that
it used to verify the signature against the SMTP FROM field but this
was changed as it generated so many false positives as to in effect
render the feature unusable.

Another valid example where signatures wouldn't work is that posts
made to mailing lists frequently changes the From address to a proxy
address. PGP works in the same way, as you can see from e.g.
Microsoft's security bulletin mailers. They are signed using our PGP
key (secure@microsoft.com) but that is not the address the mail
originates from, this is similar to posts to public news groups.

Being able to protect the SMTP headers using either of these
mechanisms would be great but I don't think it is fully doable given
the constraints, especially in an enterprise environment.

I think it might be a good idea to involve CERT here if you like, to
get a second opinion. Would you like to engage in that discussion
together?
/Lennart

- -----Original Message-----
From: Roberto Franceschetti [mailto:roberto@logsat.com]
Sent: Friday, October 29, 2004 9:17 PM
To: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report [5608lw]

Lennart,

As I already discussed with the 1st tech, Christopher, you should not
confuse the RFC2633 with the concept of digital signatures.

That RFC simply describes what S/MIME is and how it's implemented. As
you've
correctly stated, it does not apply to the email's headers, just as
it's
applications are not limited to emails. All it is is the definition
of how
S/MIME works.

The issue here is another. Digitally signed emails rely on multiple
standards to ensure the contents are not altered and to identify the
identity of the sender. Outlook just happens to use S/MIME for part
of this
purpose (the integrity of the content). But Outlook is failing to do
a
pretty major thing. It's not ensuring the identity of the sender!
That is
absolutely against what digitally signed emails are supposed to
prevent.
I've been able to change a digitally singned email, and make it
appear that
"hacker@logsat.com" sent it. Outlook did not complain and confirms
the email
is authentic.

Now if you say that behavior is by design, yes, it means there are no
bugs
since it's working as the programmers wanted. But then in this case
the
problem is even worse, as it was intentional. It's not a matter of
correcting the documentation, because you are now distributing a
product
that is not able to verify the sender of digitally signed signatures,
and
that sees "hacked" emails as valid. The Exchange scenarios you
mentioned are
*supposed* to fail, since the sender's email is not the one who
signed the
certificate.

We were looking at this technology for digitally signing court
documents in
Orange County. This has caused a grat drawback, as we have proven
that
digitally signing an email in no way authenticates the sender, which
is
*exactly* what we were looking in a digital signature.

As a side note, your statement "instead add the signed by line to the
mail
header which identifies the email address of the person who signed
the
message" is not very conforting. As you yourself said, S/MIME does
not check
email headers, and so I'm pretty sure I can modify the very same
header you
mention above to even more forge the email.

To summarize, please do not use RFC2633 as an excuse to justify
Outlook's
behavior, as digital signatures are more than S/MIME compliance.
Please
think about these implications very carefully, because I will have to
release and publicize my findings sooner or later, and I'm guessing
you
would really like to have a fix ready before this occurs.

Roberto

- -----Original Message-----
From: Microsoft Security Response Center
[mailto:secure@microsoft.com]
Sent: Friday, October 29, 2004 8:36 PM
To: roberto@logsat.com
Cc: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report [5608lw]

Thanks Roberto,

On my way out for the weekend but I do have some data to share with
you.
The behavior you are seeing is actually the result of a by design
decision.

A warning about that the sender's address does not match the signer's
address would cause
a number false positives in many valid scenarios such a proxy
addresses. In,
for instance, Exchange scenarios it is often the case that the email
address
"user@company.com" may only be a proxy address for the real internal
address
of "user@department.company.com". So the
sender's address will be "user@company.com" but it will be signed
with
a cert that contains "user@department.company.com" rather.

As a result the design that was chosen was to not warn and instead
add the
signed by
line to the mail header which identifies the email address of the
person who
signed the message and the person receiving it should use the signed
by line
to tell who signed the message.

Now, I will ask them to look into this long term as well to see
whether we
should look at protecting the headers, as RFC 2633 doesn't speak to
that.

The product team is also looking at the documentation to make this
more
clear and I thank you for pointing this out.

Please let me know your thoughts here.

Have a good weekend.
/Lennart

- -----Original Message-----
From: Roberto Franceschetti [mailto:roberto@logsat.com]
Sent: Friday, October 29, 2004 5:07 PM
To: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report [5608lw]

Lennart,

Since I have not heard anything for the whole week, this is to "ping"
you
for an update.

Thanks,

Roberto

- -----Original Message-----
From: Microsoft Security Response Center
[mailto:secure@microsoft.com]
Sent: Friday, October 22, 2004 6:17 PM
To: roberto@logsat.com
Cc: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report [5608lw]

Hi Roberto,

The product team is looking at this now. I know they will be looking
at this
as well but could you perhaps tell me what behavior you have seen in
OE and
other mail readers?
Weekend is coming up here so I'll get back to you next week with more
but
please don not hesitate to ping me for status should you not hear
from me, I
intend to but just shoot me some mail if not.

Kind regards and have a good weekend
/Lennart

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQIVAwUBQYrgs4reEgaqVbxmAQLXsQ/+MozM18XOajmIC/s5TlWoQh632bYeSruv
v8rSaTcf7rjPXa7YBVblQCYcyw9iEMz/PRTSsAClKtonRvCB+oJhgrOgv7887Tj8
iPFJeQIIUvKnlmsu7PexZuxRJIk5hh2fOthfF1U8Nw89nneWaGptKJ5pKpkWxart
DCR37qT76XdhJL3nu26/0LXAT4UAOibRKtWGaKNB6fcn67ODZ9dTfU5VIUTLIM2V
l8wB/1GluZL0Yd7Tvk3U3+zEnjwH6Gk4WXxEW5uFD5HmnqrIUcoqKBWJxzmf6AYt
HowyqxZHyWmN86Rnx3flAjhphlqOFKvILqtpDdase0w7ROHeiUfAy+Widm3N39lN
gJhLQrYG8NLlQ468V1v0QbcKCDZQyGj470/oHs40AxMLY5yC+fDeq5tVMSsErqKT
danbs+vxpG95TI2MCO0SgHK8nvfZ9Ty97uC7J3UxHcVO4m9vj7NgMLIAgqbBL2Ov
RErATIYRG2bkhIdWgEK0+zTkhs5pvjbTpJP5k5NDJeCdbXRNv9Zzrd7xbPceftBO
u3mPwJavwOrNgpS1JIyivcE+wX3w0hB/zIariHRwyMHT2M6CVO10Zdf7uPv2wuo2
SvJL5HemTRP8ClH6pWwOXE9L7gdPDa03XfinsxQBGcvnnK9KsyJjMeD80sctryTR
RfkmSqruHhY=
=Ljdn
-----END PGP SIGNATURE-----