Everhart,Glenn
From:	Russ [Russ.Cooper@RC.ON.CA]
Sent:	Friday, May 08, 1998 1:49 PM
To:	NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject:	Alert: S/MIME problems with Outlook '98
> This problem describes issues with the Protected Storage subsystem in
> NT and Win9x, and in particular, its use with S/MIME and Outlook '98.
>
> Situation:
>
> A user has obtained a Digital Certificate from Verisign to use with
> S/MIME, and during installation, has chosen to set their security
> level to "Medium" (which means that each time their certificate is
> used, a dialog will appear informing them). Said certificate can be
> used to both digitally sign, and encrypt, a message sent from Outlook
> '98.
>
> After creating a message and setting the options to sign & encrypt,
> the user presses the "Send" button. The message window closes and the
> Protected Storage dialog appears informing them of the use of their
> certificate. The dialog has 3 buttons and an "X" to close it. "Ok",
> "Cancel", and "Details". The message is not acted on until this dialog
> is closed by clicking "Ok", "Cancel", or the "X".
>
> Based on the presentation of a "Cancel" button, the user decides (for
> whatever reason) that the action should not be completed. The natural
> assumption is that the message will not be sent.
>
> Problem:
>
> The message is sent, and what's worse, by clicking on the cancel
> button, the message is sent without encryption.
>
> What happens is that the request to apply the digital certificate (and
> then use that mechanism to encrypt the message) is completely
> cancelled, but the message gets sent anyway.
>
> The targeted recipients will receive a message that appears to have a
> digital certificate (they will see a little blue ribbon icon beside
> the message), but when they open it a dialog will appear indicating a
> problem with the signature of the message. This dialog lists a variety
> of information about the signing of the message that is supposed to be
> based on the presence of an actual signature. However, since the
> sender cancelled the use of their signature, no certificate is
> actually attached.
>
> The receiver is told, for example, that the message;
>
> - The signature is invalid
> this makes sense, it was never signed)
>
> - The message is digitally signed
> yet it isn't
>
> - The contents were not altered after it was signed
> it was never signed, so how does it know this?
>
> - The certificate is not revoked
> it was never signed, so how does it know this?
>
> - The certificate is not expired
> it was never signed, so how does it know this?
>
> - The certificate is trusted
> it was never signed, so how does it know this?
>
> - Email address on certificate is same as sender's address
> it was never signed, so how does it know this?
>
> - There are other failure reasons
> When there are other failure reasons Outlook states "You can look at
> the problems with the certificate by selecting View Certificate", but
> the View Certificate button is grayed because there was no
> certificate!
>
> To top that off, Outlook has a View Message button on this dialog.
> When you click that button Outlook displays the message that was sent,
> unencrypted.
>
> Risks:
>
> The risks here should be obvious. When the original Protected Storage
> dialog box appears to inform you of the use of your certificate, users
> are going to believe that hitting Cancel is going to cancel their
> message entirely. If the message composed was intended to be
> encrypted, due to its sensitive nature, and they do hit Cancel, this
> sensitive information will be sent in clear text.
>
> Further, no other information is provided to the sender. They are not
> informed that the message has been sent anyway unencrypted. If the
> recipient views the contents by using the View Message button, they
> are then able to reply to that original message. If they do reply,
> Encryption has been automatically dropped from the Options, but again,
> this has been done without notification to the user. Hence a
> conversation could carry on between the two individuals without either
> of them realizing that the messages were being sent unencrypted.
>
> The warning dialogs do not explain to the recipient what is wrong with
> the message, just that its an invalid signature. Since they can still
> see the message (albeit by clicking a few unfamiliar buttons), they
> may obviously believe everything is proceeding.
>
> WorkAround:
>
> One workaround for this issue is to not set the security level to
> Medium or High but to use Low instead. This prevents the dialog box
> from appearing at all, so its not possible to mistakenly send
> unencrypted messages in the fashion described above.
>
> Unfortunately, this workaround introduces another exploit possibility.
> If the setting is set to Low, then a rogue process could cause a
> message to be created by your machine and sent, signed with your
> certificate, all without you knowing. The purpose of the Medium
> setting is to avoid precisely this possibility.
>
> So in other words, you're damned if you do and damned if you don't.
>
> Setting your security level to High is not a workaround. You will then
> be presented with numerous dialog boxes, none of which provide any
> useful information as to what is taking place (same true with the
> Details dialog at the Medium setting, it simply tells you that
> "Outlook" is trying to "Read" information from Protected Storage, not
> that its sending a particular message with contents "blah blah").
>
> Solution:
>
> The "Cancel" button must either cancel the message entirely, or should
> not be present. I prefer to see it cancel the message entirely. The
> reasoning is that should a rogue application actually create a message
> on my behalf and sign it with my certificate, not only do I want to
> know this has happened, but I want to prevent the message from being
> sent at all. When certificates are accepted for some important reason,
> the effort involved in explaining to the recipient why they received a
> message with my invalid signature is going to be too high.
>
> If a message is going to be sent regardless, then two changes must be
> made to the current procedure;
>
> 1) The "Details" button must be able to display the contents of
> whatever has been signed/encrypted with my use of Protected Storage.
> Since there is no way to view the message from within Outlook at this
> point in the process, then this dialog must facilitate that.
>
> 2) The recipient "Invalid Signature" dialog box must not put pretty
> green check marks beside all of those things it has no way of
> confirming. Without a signature, it obviously cannot verify whether or
> not its valid, expired, revoked, or anything else. The false positive
> defaults for these items in that dialog are completely incorrect and
> lead to a false level of trust (gee, everything but "other" is Ok, I
> guess the message is "mostly" Ok!).
>
> Comments:
>
> With the security level set to Medium, this appears to be a bug not an
> exploit. Users may take actions that they believe will have a
> different effect. Microsoft is already aware of this issue.
>
> If this is not fixed swiftly (and I currently have an open incident
> with MS Premier Support Services on this issue), the use of S/MIME in
> Outlook '98 is seriously compromised.
>
> Other uses of Protected Storage and the Medium security setting have
> not been investigated, there may be other issues of more or less
> importance that this problem relates to (including the possibility
> that this may be used as an exploit).
>
> To those that may suggest the use of PGP, Network Associates Inc. have
> confirmed that PGP will not be supported in Outlook '98 until some
> time between August and October of '98. While some aspects of PGP
> 5.5.2 do work well in Outlook '98, many ways of GP'ing PGP exist and
> its not a stable choice (not to mention that they're support only
> provides "best effort" to resolve issues with Outlook '98).
>
> Cheers,
> Russ Cooper
> R.C. Consulting, Inc. - NT/Internet Security
> http://www.ntbugtraq.com
> http://www.ntbugtraq.com/ntsecurity