Hi Augusto, On Thu, Jul 03, 2008 at 04:48:17PM -0400, Augusto Paes de Barros wrote: > I've just got an interesting idea about how a malicious e-mail sender > could try to get a unseen by the recipient reading confirmation, > including the IP address of the recipient. I was working on S/MIME > messages and I thought about the signature validation process, where [...] > that is embedded in the signed message. A specially crafted > certificate (not from a trusted CA) can be generated with an AIA > (Authority Information Access) extension containing an URL controlled > by the malicious sender. By doing that the sender will immediately [...] You seem to have rediscovered the issue that I reported on full-disclosure on April 1st - see https://www.cynops.de/advisories/AKLINK-SA-2008-002.txt https://www.cynops.de/advisories/AKLINK-SA-2008-003.txt https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt https://www.cynops.de/techzone/http_over_x509.html Note that Office 2008, Microsoft Live Mail and Microsoft Mail on Vista are also affected. For those of you who want to try that out, you can send an empty email to smime-http@xxxxxxxxxx, which will send you back an email that will trigger the vulnerability and provide you with a link to check whether the HTTP request reached my server. I have also talked at this year's EuSecWest about this issue (and some others), see the slides here: http://eusecwest.com/esw08/esw08-klink.pdf > Microsoft was notified about this issue last May. >From your blog entry I assume this is actually this May (May 2008)? They have known since mid-January, tested a bit in February but have not responded to my mails on how they intend to fix it ... Cheers, Alex
