Microsoft bulletins fail PGP verification

[InfoSec News <isn () c4i org>]

http://www.computeruser.com/news/01/07/30/news3.html

By Brian McWilliams, Newsbytes.
July 30, 2001

Microsoft security bulletins often fail a popular e-mail
authentication system. But the company insisted that its method for
distributing security information is sound.

To protect against forgery, Microsoft's security response center
digitally signs its bulletins with PGP before e-mailing them to the
more than 100,000 subscribers to its security notification service.
But if recipients attempt to verify the messages' authenticity, PGP
often issues a warning that the signer of the bulletin is invalid.

PGP, a public key encryption and authentication technology developed
by Phil Zimmerman, has been widely adopted by security-conscious
Internet users. Network Associates Inc. acquired PGP in 1997.

"The problem is that Microsoft's bulletins effectively look as if
they're forged. And telling a Microsoft forgery from someone else's is
virtually impossible," said Paul Murphy, head of information
technology at Gemini Genomics, a genetic research firm in Cambridge,
England.

Murphy encountered the problem when he attempted to verify the PGP
signature on security bulletin MS01-040, which was distributed by
Microsoft Wednesday night.

It has been confirmed that on the last 22 bulletins distributed by
Microsoft since March 27, PGP reports that the signer of the key is
invalid. One bulletin, MS01-018, included both a bad signature and an
invalid signer.

When PGP is used to digitally sign a message, the contents of the
e-mail are encrypted and placed in a signature block at the bottom of
the message. Upon reading the message, recipients can use PGP to
decrypt and verify the contents of the e-mail.

Scott Culp, head of Microsoft's security response center acknowledged
that the company's bulletins may cause PGP to generate invalid key
warnings because of an "implementation issue" in the PGP program.

According to Culp, Microsoft has chosen not to rely on an
authentication concept in PGP known as "the Web of trust," in which a
key deployed by a PGP user to encrypt documents gains validity if it
is "signed" by other PGP users.

"The Web of trust works well if you're exchanging e-mail among
friends. But we don't ask anybody to sign our key. We have always
relied (on) other, better ways of validating our key," said Culp.
Those techniques include providing a secure download of the key from
the Microsoft site and publishing the key's fingerprint, he said.

Earlier this month, a malicious user distributed a bogus Microsoft
security bulletin from a forged Microsoft return address. The message
advised recipients to download a security patch, which security
experts later identified as containing an Internet worm.

In a message at its site about the bogus bulletin, Microsoft said
"This is not the first time malicious users have issued counterfeit
security bulletins, and it will likely not be the last. Microsoft
urges customers to always verify any mail that claims to be a
Microsoft security bulletin."

The bogus Microsoft bulletin distributed July 10 contained text near
the bottom that resembled a PGP signature block. But Newsbytes has
confirmed that the e-mail was not digitally signed.

Besides sometimes not being able to verify the signer of a Microsoft
bulletin, some users may also encounter problems with the PGP
signature. Usually "bad" signatures result from bits of data being
altered during the bulletin's transit across the Internet, according
to Culp.

Despite these problems and the confusion that may result, Microsoft
will stick to signing its bulletins with PGP.

"If you can't verify the signature or the key appears to be invalid,
all it means is that you don't know for sure whether the bulletin came
from us and hasn't been modified. In those cases, you should check the
Web site, which has the authoritative version," said Culp.

According to Murphy, most people don't verify the PGP signature in
incoming messages.

"If they see there's a signature, most people assume it's okay and
trust it without actually verifying whether it checks out," said
Murphy.

-=-

Microsoft Security Response Team's PGP key is at
http://www.microsoft.com/technet/security/MSRC.asc.

The Microsoft notice about bogus bulletins is at
http://www.microsoft.com/technet/itsolutions/security/news/bogus.asp.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.