• # Si tu détestes Microsoft et Internet Explorer, clique ici !

    Posté par . En réponse à la dépêche Darwin OS disponible sur Intel x86. Évalué à -1.

    ----- Original Message -----
    From: Microsoft Product Security
    To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM
    Sent: Thursday, March 22, 2001 4:42 PM
    Subject: Microsoft Security Bulletin MS01-017

    The following is a Security Bulletin from the Microsoft Product Security
    Notification Service.

    Please do not reply to this message, as it was sent from an unattended
    mailbox.
    ********************************

    -----BEGIN PGP SIGNED MESSAGE-----

    - ----------------------------------------------------------------------
    Title: Erroneous VeriSign-Issued Digital Certificates Pose
    Spoofing Hazard
    Date: 22 March 2001
    Software: All Microsoft customers should read the bulletin.
    Impact: Attacker could digitally sign code using the name
    "Microsoft Corporation".
    Bulletin: MS01-017

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/security/bulletin/MS01-017.asp.(...)
    - ----------------------------------------------------------------------

    Issue:
    ======
    VeriSign, Inc., recently advised Microsoft that on January 30 and 31,
    2001, it issued two VeriSign Class 3 code-signing digital
    certificates to an individual who fraudulently claimed to be a
    Microsoft employee. The common name assigned to both certificates is
    "Microsoft Corporation". The ability to sign executable content using
    keys that purport to belong to Microsoft would clearly be
    advantageous to an attacker who wished to convince users to allow the
    content to run.
    The certificates could be used to sign programs, ActiveX controls,
    Office macros, and other executable content. Of these, signed ActiveX
    controls and Office macros would pose the greatest risk, because the
    attack scenarios involving them would be the most straightforward.
    Both ActiveX controls and Word documents can be delivered via either
    web pages or HTML mails. ActiveX controls can be automatically
    invoked via script, and Word documents can be automatically opened
    via script unless the user has applied the Office Document Open
    Confirmation Tool.

    However, even though the certificates say they are owned by
    Microsoft, they are not bona fide Microsoft certificates, and content
    signed by them would not be trusted by default. Trust is defined on a
    certificate-by-certificate basis, rather than on the basis of the
    common name. As a result, a warning dialogue would be displayed
    before any of the signed content could be executed, even if the user
    had previously agreed to trust other certificates with the common
    name "Microsoft Corporation". The danger, of course, is that even a
    security-conscious user might agree to let the content execute, and
    might agree to always trust the bogus certificates.

    VeriSign has revoked the certificates, and they are listed in
    VeriSign's current Certificate Revocation List (CRL). However,
    because VeriSign's code-signing certificates do not specify a CRL
    Distribution Point (CDP), it is not possible for any browser's
    CRL-checking mechanism to download the VeriSign CRL and use it.
    Microsoft is developing an update that rectifies this problem. The
    update package includes a CRL containing the two certificates, and an
    installable revocation handler that consults the CRL on the local
    machine, rather than attempting to use the CDP mechanism.

    Versions of the update are being prepared for all Microsoft platforms
    released since 1995. However, because of the large number of
    platforms that must be tested, the patches are not available at this
    writing. Until the update is available, we urge customers to take
    some or all of the following steps to protect themselves should they
    encounter hostile code signed by one of the certificates.
    - Visually inspect the certificates cited in all warning
    dialogues. The two certificates at issue here were issued
    on 29 and 30 January 2001, respectively. No bona fide
    Microsoft certificates were issued on these dates. The
    FAQ and Knowledge Base article Q293817 provide complete
    details regarding both certificates.
    - Install the Outlook Email Security Update
    (http://www.officeupdate.com/2000/downloadDetails/Out2ksec.htm(...))
    to prevent mail-borne programs from being launched, even via
    signed components, and install the Office Document Open
    Confirmation Tool
    (http://officeupdate.microsoft.com/downloadDetails/confirm.htm(...))
    to force web pages to request permission before opening Office
    documents.
    - Consider temporarily removing the VeriSign Commercial Software
    Publishers CA certificate from the Trusted Root Store. Knowledge
    Base article Q293819 provides details on how to do this.

    Mitigating Factors:
    ====================
    - The certificates are not trusted by default. As a result,
    neither code nor ActiveX controls could be made to run without
    displaying a warning dialogue. By viewing the certificate in
    such dialogues, users can easily recognize the certificates.
    - The certificates are not the bona fide Microsoft code-signing
    certificates. Content signed by those keys can be distinguished
    from bona fide Microsoft content.

    Patch Availability:
    ===================
    - A software update is under development and will be released
    shortly. When it is available, we will update this bulletin
    to provide information on how to obtain and use it.


    - ---------------------------------------------------------------------

    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
    "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
    WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
    SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
    DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
    CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
    MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
    POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
    OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
    THE FOREGOING LIMITATION MAY NOT APPLY.



    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Privacy 6.5.3

    iQEVAwUBOrodSI0ZSRQxA/UrAQF5ogf+PPlBgMNKx1hSjvUpKCOOGC3vnSGx5rfF
    AbMlLePETm/tfrmyodtL6Gnsi/Upakt20np8Z7xvxDA9+HybF7oDOY4uSZhmyKu9
    kkttEKWA4JmyQbNt4bZw0Rv9iXZttdcd+spmkDg5ntukhQmnEOj8gBnJfXrJEqg8
    3pjnrSJlz1RZ20XLrLMhsQe55eolgrnb2szUFNxFV4tN61TvtIUlO0vcnRgc6ZFG
    2tLo6IZqH+yESt10WhlwLVjmef1QrtkGox3S4JGWdahjbmKAgS+ITH86uGY8L40D
    VBVS4tYX1h0N194n5AimxyV79A1VlqWzXOcbJ4oeZrKWB0gIt+7Cqw==
    =QWGt
    -----END PGP SIGNATURE-----
    --