Re: Security Flaw with Digital signatures in Microsoft Outlook

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Security Flaw with Digital signatures in Microsoft Outlook
From: <dori@xxxxxxxxxxxx>
Date: 29 Mar 2005 04:18:21 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <20050325202052.15663.qmail@xxxxxxxxxxxxxxxxxxxxx>

Mr Roberto managed to change email headers ? ?from address?.

Security Professionals know the email headers can't be trusted and can be 
easily forged.
Most Outlook users *do not*.

The ?signed by? and the certificate signer remain valid ? so its issue of 
educating users to look at the "signed by" field , and not the from address.

This "Feature / Flaw" can be the source of some problematic phishing scams:
if i buy a certificate for some-user@xxxxxxxxxxx
and send a forged email with "from" helpdesk@xxxxxxxxxxx, signed by that 
some-user@xxxxxxxxxxx
I'm sure it can get the passwords from most of the users.

I'm sure some ppl will take this further and we are going to see this trend in 
phishing evolving quickly.

Dori Fisher,
We! Consulting group.

Prev by Date: Re: iDEFENSE Security Advisory 03.28.05: Multiple Telnet Client slc_add_reply() Buffer Overflow Vulnerability
Next by Date: [PersianHacker.NET 200503-12]Chatness 2.5.1 and prior XSS Vulnerabilities
Previous by thread: Re: Security Flaw with Digital signatures in Microsoft Outlook
Next by thread: phpMyDirectory 10.1.3-rel Cross site scripting
Index(es):
- Date
- Thread