The Guide

Home

Search

Forum

Feedback

Credits

About Raj

Security Issues with MS Windows


*
Introduction
*
The Problem
*
Why is this Misleading?
*
So How is security breached?
*
Can Things get shoddier?
*
Other Resources
*
Analysis and comparsion with NSA guidlines
*
World Class Authority
*
Conclusions
*
Further links for Reference


World Class Authority

Bruce Schneier (a world renowned expert on cryptography) really boiled it down, although he was ONLY really talking about browsers/E-Mail software at the time...
<URL: http://www.cotse.com/
mailing-lists/ntbugtraq/0395.html
>

If a virus replaces the root Netscape certificate with a phony one, it can trick you into believing a fake certificate is valid. But that replacement certificate can't verify any real certificates, so you'll also believe that every real certificate is invalid. (Hopefully, you'll notice this.) But it works well with Microsoft's Authenticode. Microsoft had the foresight to include two root-level Authenticode certificates, presumably for if one ever gets compromised. But the software is designed to authenticate code if even one checks out. So a virus can replace the Authenticode spare certificate. Now rogue software signed with this rogue certificate verifies as valid, and real software signed by valid Microsoft-approved companies still checks out as valid.

See also his own follow-up to his own post:

<URL: http://www.cotse.com/mailing-lists/ntbugtraq/0397.html>

 

Who could be the casualties?

It would be rather exigent to cover all casualties, however the most affected ones would be large organizations, governments, banks, companies, virtual private networks, e-commerce applications, followed by everyone using Windows on the World Wide Web, as they can not be even slightly sure of JAVA applets, plugins and ActiveX controls.

Looking at these loopholes the use of these products would be highly lethal from the security point of view. Services like RAS, IIS, ODBC, VPN that depend on the Microsoft Cryptography API would also be no less than noxious.

SSL, S/MIME and certificates in electronic commerce on these Windows platforms represent a vulnerability to both financial establishments and users of the Internet Explorer browser until these defect are treated.

Conclusions [Next]



Copyright 1999 Dr. Raj Mehta. All rights reserved.