Re: Unauthorized reading confirmation from Outlook

[Alexander Klink <alexander () klink name>]

Hi Augusto,

On Thu, Jul 03, 2008 at 04:48:17PM -0400, Augusto Paes de Barros wrote:
> I've just got an interesting idea about how a malicious e-mail sender
> could try to get a unseen by the recipient reading confirmation,
> including the IP address of the recipient. I was working on S/MIME
> messages and I thought about the signature validation process, where
[...]

> that is embedded in the signed message. A specially crafted
> certificate (not from a trusted CA) can be generated with an AIA
> (Authority Information Access) extension containing an URL controlled
> by the malicious sender. By doing that the sender will immediately
[...]

You seem to have rediscovered the issue that I reported on full-disclosure
on April 1st - see
https://www.cynops.de/advisories/AKLINK-SA-2008-002.txt
https://www.cynops.de/advisories/AKLINK-SA-2008-003.txt
https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt
https://www.cynops.de/techzone/http_over_x509.html

Note that Office 2008, Microsoft Live Mail and Microsoft Mail on Vista
are also affected.

For those of you who want to try that out, you can send an empty email
to smime-http () klink name, which will send you back an email that
will trigger the vulnerability and provide you with a link to check
whether the HTTP request reached my server.

I have also talked at this year's EuSecWest about this issue (and some
others), see the slides here:
http://eusecwest.com/esw08/esw08-klink.pdf

> Microsoft was notified about this issue last May.

> From your blog entry I assume this is actually this May (May 2008)?
They have known since mid-January, tested a bit in February but have not
responded to my mails on how they intend to fix it ...

Cheers,
  Alex