MS soft-pedals SSL hole

Security Focus ^ | Aug 16 2002 6:35AM | Thomas C. Greene

[Dominic Harr]

A Microsoft security PR bulletin dealing with the recent SSL (Secure Sockets Layer) certificate hole reported by Mike Benham goes out of its way to assure Windows users that there's little to be concerned about. The recent negative talk about it hasn't been properly 'balanced' (i.e., approved by the Marketing Department), apparently.

"We regret any anxiety that customers may have experienced regarding this issue. Clearly, it would have been best if a balanced assessment of the issue and its risk had been available from the start," the company's PR bunnies want you to know.

Attacking the flaw, MS says, would be well-nigh impossible for three reasons.

First, there's no easy way for an attacker to lure a victim to a malicious knock-off Web site, which MS flacks insist is a precondition for exploitation. Actually, what they say is, the attack scenario "provides no way to make the user actually arrive at the attacker's site."

Well, that's true in a sense. Luring the victim is a problem which needs to be solved or sidestepped for an attack to work. But is it strictly necessary? The short answer is no. Benham's attack tool, sslsniff, uses ARP (Address Resolution Protocol) spoofing rather than social engineering, and just grabs data from other people's SSL sessions using ARPspoof to get between client and host as a proxy, and his certificate chaining attack to defeat Windows' certificate verification mechanism. Thus an attacker can easily place himself between you and your bank and log your business using a bogus SSL certificate which IE will not warn you of.

We publish this because there's a simple, free workaround. Just install Mozilla for Windows if you need to rely on SSL while MS comes up with a fix.

Second, MS claims that the attacker's identity would be 'easy to determine' because there are fairly strict ID requirements for people to obtain digital certs, and Benham's approach requires the attacker to use one in signing an intermediate cert.

Reader Andrew Gray of Icons, Inc. doesn't buy that for a minute, and sent us an email disputing the claim.

"Most likely, the identity of the fool that had his Web server rooted and keys stolen could easily be established," he writes. "Many SSL Web site operators remove the 'key-protecting key' that protects the Web server's private key so that the SSL component of httpd will start at reboot without manual intervention. Will the first person to post a valid signed certificate and its associated unprotected private key to USENET bring down the E-Commerce infrastructure of the world? Does IE even check to see if the certificate has been revoked?"

"Unfortunately, what this issue means is that we need to not only trust VeriSign and all the other root CAs [Certificate Authorities] in their ability to protect their keys (as we have historically done), we now have to trust every Web server and its associated people, policies, and procedures for maintaining the integrity and confidentiality of their keys."

Well of course we always did have to; it's just since Benham showed us how easy it is to forge an SSL cert with any valid key that we've appreciated it fully.

Finally, Redmond's PR bunnies tell us that "the user would always have the ability to determine the truth," if he were confronted by a dodgy SSL cert from somewhere outside the site he's trusting. He would not be warned, mind you; but he'd have every opportunity to look into it on his own.

"Anytime an SSL session has been established, an icon shaped like a lock is present in the lower right corner of the screen. By double-clicking on the icon, the user can see information about the site's digital certificate, including the identity of the issuer. This would clearly show that, in contrast to the norm, this one hadn't been directly issued by a commercial Certificate Authority," MS cheerfully notes.

Gray has a colorful comeback: "You can tell the average user that they need to start validating certificate chains manually. End users have trouble keeping food off their keyboard and sorting messages in Outlook. Try explaining this problem to them."

We sense a period of bitter helpdesk experience somewhere in that CV. But the point is fair. The fact that a certificate is signed by an intermediary may not ring alarms for many users, assuming they ever bother to check what their little padlock icon has to say. They've been told in a million ways that incomprehensible and virtually infallible technology is always invisibly at work on their behalf. A naive user may well assume that if there were anything wrong with a certificate being signed by an outside entity, surely a company that promises nothing but Great Experiences from Great Software would have taken steps to prevent it from happening. ®

[Dominic Harr]

"We regret any anxiety that customers may have experienced regarding this issue. Clearly, it would have been best if a balanced assessment of the issue and its risk had been available from the start,"

"Balanced Assessment".

Yeah. Sure. Right.

[Dominic Harr]

Is this kind of thing 'fraud'?

[E. Pluribus Unum]

On a related note: KDE smokes MS in SSL bug fix

[Dominic Harr]

Yeah, this is a fascinating ongoing saga.

The other software companies patch their software a.s.a.p., and MS refuses to even admit there's a problem.

This is exactly why so many of us have a problem with MS. Rather than stand behind their products, they do this kind of thing.

Imagine if any other industry tried to get away with this.

[E. Pluribus Unum]

Imagine if any other industry tried to get away with this.

The federal government gets away with it all the time. They still won't admit that TWA Flight 800 was taken out by a missile.

[Dominic Harr]

The federal government gets away with it all the time.

Yes, true.

How very very true.

[TechJunkYard]

Excerpt from the Computerworld article:

Microsoft said it's working on patches for Windows 98, Me, NT4, 2000 and XP. It wouldn't say when the patches would be available.

"This SSL flaw has been described as an [Internet Explorer] problem, but it is a Windows issue. It's in the crypto of the operating system, so we have to patch the OS," said Scott Culp, manager of the Microsoft Security Response Center. "IE is a consumer of those crypto services."

He described it as an "implementation problem in the way SSL certificates are processed, where information is not available in the certificate or it is available in two places and there is a conflict."

---

This is just MS jockeying for more debug time. They know it's a problem and they are fixing it, but they're trying to avoid user panic and criticism by minimizing it now. Typical.

And I'm surprised (shouldn't be) at The Reg for their lack of balance in this story... they should have checked into it a little further.

[Bush2000]

The federal government gets away with it all the time. They still won't admit that TWA Flight 800 was taken out by a missile.

And who, pray tell, fired that missile?

[Bush2000]

And I'm surprised (shouldn't be) at The Reg for their lack of balance in this story... they should have checked into it a little further.

C'mon, dude. You're surprised? That the Register would have a "lack of balance"?!? They practically define the term ABM.

[tictoc]

For years I've been hearing IP v6 will make the Internet safe. Why isn't it here already?

[E. Pluribus Unum]

And who, pray tell, fired that missile?

Don't know, but at least you are admitting there was one.

[E. Pluribus Unum]

James Sanders, author of "The Downing of Flight 800" was prosecuted and imprisoned for publishing his book. Why would that happen in a free country?

[TechJunkYard]

They practically define the term ABM.

Nah, you guys are paranoid. The folks at The Reg might have a bunch of griping about MS, but they're anti-everybody... ABHP, ABIBM, ABDell, ABAOL, all of the telecomms, they're even negative about RedHat.

I mainly go there just for the BOFH series.

[Bush2000]

Don't know, but at least you are admitting there was one.

It certainly wasn't a Navy ship. I've been aboard my share of 'em, and there are so many people aboard who know (and can hear) what ordinance gets fired that it would be impossible to keep this secret. So the only alternative was that it was a SAM launcher (unlikely) or a shoulder-fired launcher such as a Stinger (possible, but unlikely). I will grant you that the evidence (if you can call eyewitness testimony that) is compelling but it's not conclusive.

[mikenola]

Microsoft: SSL flaw is in operating system, not Web browser


By John Fontana, Network World
AUGUST 15, 2002





Microsoft Corp. said yesterday that the Secure Sockets Layer (SSL) flaw recently uncovered by an independent researcher is in multiple versions of the Windows operating system, not its Internet Explorer Web browser.
Company officials added that the flaw isn't in Microsoft's CryptoAPI application program interface (CAPI) either, which would have left a number of applications and Windows services vulnerable, not just Internet Explorer.

Security researcher Mike Benham reported that Internet Explorer had a security flaw that could undermine the security provided by SSL, a standard for securing online transactions and e-commerce (see story). The flaw opens a vulnerability called a man-in-the-middle attack, where the attacker can hijack an SSL session and decrypt messages that could contain credit card or Social Security numbers.

Microsoft said it's working on patches for Windows 98, Me, NT4, 2000 and XP. It wouldn't say when the patches would be available.

"This SSL flaw has been described as an [Internet Explorer] problem, but it is a Windows issue. It's in the crypto of the operating system, so we have to patch the OS," said Scott Culp, manager of the Microsoft Security Response Center. "IE is a consumer of those crypto services."

He described it as an "implementation problem in the way SSL certificates are processed, where information is not available in the certificate or it is available in two places and there is a conflict."

Culp said the flaw doesn't lie within CAPI but in the code that performs validation of SSL certificate chains, which refers to the hierarchy of trust that cascades from certificate authorities such as VeriSign Inc. The operating system must be patched, because Internet Explorer doesn't have its own cryptography code and must rely on the operating system for that service, he said.

Konqueror.org was able to patch its open-source Konqueror Web browser, which had the same SSL flaw as Internet Explorer, in less than 90 minutes because it uses its own built-in certification verification library.

Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.

But Culp said that the SSL flaw doesn't affect any other application outside Internet Explorer and that it's a client-side issue only.

The IDG News Service contributed to this report.

[E. Pluribus Unum]

James Sanders had a piece of fabric from one of the seats analyzed and it contained rocket propellant residue. They sent him to prison based on a law that was intended to prevent souvenir hunters from taking evidence from crash sites. That's not what he did. He obtained a small swatch of cloth from a seat in the explosion zone long after the NTSB's investigation had been complete.

It it looks like a coverup and walks like a coverup and smells like a coverup...

As far as why the feds would do this, to me it is simple: if a bad guy gets his hands on a SAM/Stinger, there is no way you can stop him from taking out an aircraft. All the airport screeners in the world couldn't stop it. So the feds deny it ever happened, and cover it up each time it happens. It's their only option, really, until somebody shoots a plane down with so many eyewitnesses and video cameras rolling (like a 4th of July celebration in Washington DC, for instance) that it cannot be covered up.

Once that happens, the airline industry might as well close up shop.