Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Verisign screw the pooch.

  • 26-03-2001 8:09pm
    #1
    Registered Users, Registered Users 2 Posts: 21,264 ✭✭✭✭


    I normally have most of that crap switched off anyway, but this is an IS departments nightmare.
    <font face="Verdana, Arial" size="2">
    CERT Advisory: http://www.cert.org/advisories/CA-2001-04.html

    From W2K News: 3/25/2001

    * WARNING - Microsoft Digital Certificates Compromised.

    Some one posing as being from Microsoft has gotten hold of a pair of
    digital certificates. This is ugly. Why? These actually can be used
    to make some one believe they are downloading genuine Microsoft code
    while in reality they might install a malignant piece of code. The
    alert that MS sent out regarding this, warns the problem covers all
    the existing versions of Windows. Not good.

    Let me quote Russ Cooper, Surgeon General of TruSecure Corporation and
    NTBugtraq Editor: "Verisign has royally screwed up. Verisign managed
    to issue a Class 3 Digital Certificate, a Certificate which is used for
    code-signing of things like ActiveX controls, Macros, applications,
    etc... to someone who purported to be from Microsoft Corporation."
    The black hat seems to have used some social engineering to pull the
    wool over Versign's eyes.

    A digital certificate, when your box gets presented with one, shows
    you a prompt that explains how these certificates work, and asks you
    to trust it. Now, if you get presented with a Microsoft cert, either
    via HTML or email, you have to check the date! If it has a date of
    Jan 30 or Jan 31, 2001. If so, you cannot trust it and do not download
    the presented code. No real MS certs were issued on these dates.

    The bogus Cert will NOT be trusted automatically by your system, so
    that is positive. But the fact you need to check the date (which users
    very likely will not do) is definitely the liability here. Microsoft
    is working on a solution but that is not here yet. I think you should
    plan to patch all the systems you are managing in the next few weeks.
    it's also not clear who the Black Hats are that pulled this off, so
    we do not know what nastyness to expect: a virus, worm, trojans, your
    hard disk trashed or other exploits.

    Quite a few people in Microsoft are actually pretty ****ed off. They
    stated there has to be some kind of revocation mechanism in place to
    correct this kind of thing. But it ain't working right at the moment,
    as the URL for the CRL (Certificate Revocation List) is not filled
    out in the certificates. You may need to install a CRL on every box
    yourself, or get code from MS that make Explorer look at the MS CRL.
    I'll let you know more when I know more.

    http://www.microsoft.com/technet/security/bulletin/MS01-017.asp
    Microsoft Knowledge Base articles Q293817 and Q293819 also appeared.</font>



Comments

  • Registered Users, Registered Users 2 Posts: 932 ✭✭✭yossarin


    TRUSTED third party.

    *TRUSTED*


Advertisement