http://www.computeruser.com/news/01/07/30/news3.html By Brian McWilliams, Newsbytes. July 30, 2001 Microsoft security bulletins often fail a popular e-mail authentication system. But the company insisted that its method for distributing security information is sound. To protect against forgery, Microsoft's security response center digitally signs its bulletins with PGP before e-mailing them to the more than 100,000 subscribers to its security notification service. But if recipients attempt to verify the messages' authenticity, PGP often issues a warning that the signer of the bulletin is invalid. PGP, a public key encryption and authentication technology developed by Phil Zimmerman, has been widely adopted by security-conscious Internet users. Network Associates Inc. acquired PGP in 1997. "The problem is that Microsoft's bulletins effectively look as if they're forged. And telling a Microsoft forgery from someone else's is virtually impossible," said Paul Murphy, head of information technology at Gemini Genomics, a genetic research firm in Cambridge, England. Murphy encountered the problem when he attempted to verify the PGP signature on security bulletin MS01-040, which was distributed by Microsoft Wednesday night. It has been confirmed that on the last 22 bulletins distributed by Microsoft since March 27, PGP reports that the signer of the key is invalid. One bulletin, MS01-018, included both a bad signature and an invalid signer. When PGP is used to digitally sign a message, the contents of the e-mail are encrypted and placed in a signature block at the bottom of the message. Upon reading the message, recipients can use PGP to decrypt and verify the contents of the e-mail. Scott Culp, head of Microsoft's security response center acknowledged that the company's bulletins may cause PGP to generate invalid key warnings because of an "implementation issue" in the PGP program. According to Culp, Microsoft has chosen not to rely on an authentication concept in PGP known as "the Web of trust," in which a key deployed by a PGP user to encrypt documents gains validity if it is "signed" by other PGP users. "The Web of trust works well if you're exchanging e-mail among friends. But we don't ask anybody to sign our key. We have always relied (on) other, better ways of validating our key," said Culp. Those techniques include providing a secure download of the key from the Microsoft site and publishing the key's fingerprint, he said. Earlier this month, a malicious user distributed a bogus Microsoft security bulletin from a forged Microsoft return address. The message advised recipients to download a security patch, which security experts later identified as containing an Internet worm. In a message at its site about the bogus bulletin, Microsoft said "This is not the first time malicious users have issued counterfeit security bulletins, and it will likely not be the last. Microsoft urges customers to always verify any mail that claims to be a Microsoft security bulletin." The bogus Microsoft bulletin distributed July 10 contained text near the bottom that resembled a PGP signature block. But Newsbytes has confirmed that the e-mail was not digitally signed. Besides sometimes not being able to verify the signer of a Microsoft bulletin, some users may also encounter problems with the PGP signature. Usually "bad" signatures result from bits of data being altered during the bulletin's transit across the Internet, according to Culp. Despite these problems and the confusion that may result, Microsoft will stick to signing its bulletins with PGP. "If you can't verify the signature or the key appears to be invalid, all it means is that you don't know for sure whether the bulletin came from us and hasn't been modified. In those cases, you should check the Web site, which has the authoritative version," said Culp. According to Murphy, most people don't verify the PGP signature in incoming messages. "If they see there's a signature, most people assume it's okay and trust it without actually verifying whether it checks out," said Murphy. -=- Microsoft Security Response Team's PGP key is at http://www.microsoft.com/technet/security/MSRC.asc. The Microsoft notice about bogus bulletins is at http://www.microsoft.com/technet/itsolutions/security/news/bogus.asp. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 05:02:18 PDT