There is a report out recently indicating that Microsoft Outlook has a
major S/MIME security vulnerability. See
http://online.securityfocus.com/archive/1/290107/2002-08-31/2002-09-06/0
or http://www.theregus.com/content/4/26172.html.
It is the same bug which was publicized a few weeks ago regarding SSL
site certificates. Although at the time Microsoft claimed that the problem
was restricted to IE, it turns out that Outlook is affected too.
Basically the Microsoft software fails to distinguish which keys are
meant to be signers of other keys. Essentially, all keys are trusted
as signers, if those keys are signed by other valid keys. The effect
is that virtually any key can be used to sign another.
The S/MIME world uses X.509 certificates, of course, and so what it
means is that if you have a cert from Verisign, say, then you can create
certs on any key with any name you like, and the Microsoft software will
believe them. Outlook will accept a signed message from one of these
bogus certs and will display the signer name (which you created and can
be anything you want) as valid, without any warnings or error indications.
The Bugtraq article says,
As it stands, there is virtually no difference between signed and unsigned
email in Outlook. Unless carefully inspected, signed email in Outlook is
essentially meaningless. This also applies to any signed email received
over the past 5+ years.
This is a very serious security vulnerability to have gone so long without
being detected.
Hal Finney