Thursday issued critical patches for flaws in most of its Windows platforms that can leave the systems susceptible to identity spoofing.
The vulnerability could enable an attacker who had a valid end-entity certificate to issue a bogus certificate that would pass validation. This could allow a variety of identity spoofing attacks, the worst of which may be the ability for a malicious user to set up a Web site that poses as a different Web site, and "proving" its identity by establishing an SSL session as the legitimate Web site.
Or, perpetrators may send fraudulent e-mails signed using a digital certificate that purportedly belongs to a different user; they may spoof certificate-based authentication systems to gain entry as a highly privileged user; digitally sign malware using an Authenticode certificate that claims to have been issued to a company users might trust.
Digital certificates are the front lines to identity management on computers. They serve as electronic credit card to verify a user's credentials on the Web. They usually contain a user's name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.
What Microsoft is saying is that malicious users can fake these to gain access to its operating systems as they sit on people's PCs.
Chris Wysopal, director of research & development at security consultancy @stake, said the flaws are very serious, and told internetnews.com why.
"Users are not in the habit of checking certificates for Web sites or for encrypted messages so even thought there is a means for a user to detect a spoof, practically it means nothing," Wysopal said. "The most serious risk is the client certificate attack which could allow an attacker to impersonate another user on a web site that authenticates with client certificates. Typically only high security Web sites use client certificates due to the administrative costs of issuing them. It is specifically these high security Web sites that are risk. Organizations running Web sites that use client certificates need to apply the patches immediately."
Wysopal said it was unfortunate that no patch was available for the Windows 2000 OS.
For Microsoft, the announcement is the latest in a series of security flaws. But this one may sting a bit more as it points to kinks in the armor of a company trying to allay consumers' fears that their identity and privacy won't be comprimised while using its products. This is a major concern for consumers who use the Web to conduct myriad transactions.
Last year, consumers in the US lost $17.8 million due to online fraud, said the Internet Fraud Complaint Center (IFCC), which tracks online-based consumer fraud statistics. An estimated 500,000 to 700,000 Americans fall victim to identity theft each year, making identity theft one of the fastest growing crimes in the nation.
Affected systems include Microsoft Windows 98, Microsoft Windows 98 Second Edition, Microsoft Windows Me, Microsoft Windows NT. 4.0, Microsoft Windows NT 4.0, Terminal Server Edition, Microsoft Windows 2000, Microsoft Windows XP, Microsoft Office for Mac, Microsoft Internet Explorer for Mac, Microsoft Outlook Express for Mac.
While Microsoft is urging customers to patch their systems as soon as possible, the Redmond, Wash. software giant does not yet have patches for all of its operating system versions.
The company said customers can expect patches for the remaining vulnerable systems to be released shortly. The full security bulletin, with all of its technical details and scenarios, may be viewed here.
The spoofing flaws come on the heels of last week's warning from the company's Product Support Services (PSS) Security Team that it has detected an increased level of hacking activity.
Microsoft warned users that they may find Trojans such as Backdoor.IRC.Flood and its variants, and modification of the security policy on domain controllers.