03 April 2008, 11:38

Web bugs return using digital certificates

Spammers are once again using web bugs to verify the validity of of email addresses. This time the trick is not done with graphics but with digital certificates. Alexander Klink from German consultants Cynops has discovered a vulnerability in Microsoft products – or possibly in the Crypto API – that can be used to verify a victim's email address if they open a crafted email which is signed using S/MIME.

Traditionally, web bugs are small graphic images – often just one pixel – inserted into HTML emails which the mail client downloads from a website when you read the email. Spammers use them to verify email addresses, but the FBI has also used them to help put blackmailers behind bars. Web bugs in office documents work in a similar way, tracking access to documents. For security reasons, modern email clients do not automatically download content from external sites and office applications no longer contact servers without asking the user.

When receiving and opening S/MIME emails, Microsoft Outlook and Windows Live Mail will attempt to contact the URIs specified in the X.509 certificates. RFC 3280 makes provision for extensions to the certificate via which the clients can check the validity of a certificate by downloading an "intermediate certificate". The URI of the intermediate certificate is contained in the certificate itself. Because it is possible to enter as many URIs in the CA issuer fields as you like, spammers – or the FBI – can view the URI on their own servers and obtain information on the recipient's IP address as well as the date and time of receipt. Microsoft's Crypto API will fetch up to five such URIs for each certificate.

According to Klink, this vulnerability could facilitate other attacks, since the URI allows an attacker to access resources on the local network that would normally be unreachable to an external attacker. Although no direct information is revealed, the time difference between the arrival of external and internal URI requests could allow someone to determine whether a system with a particular IP address exists.

The problem affects both Microsoft's email clients and Office 2007. S/MIME gateways could also be vulnerable. The problem does not affect Lotus Notes 8, Mozilla Thunderbird, Apple email applications and OpenSSL-based email clients because, says Klink, they do not support certificate extensions and therefore do not request the URI.

Microsoft has been informed of the problem, but no solution appears to be imminent. As a workaround, the advisory suggests filtering outgoing user agents of S/MIME gateways via a firewall. For email clients, it suggests restricting HTTP requests.

You can find out if your own system is vulnerable and may be contacting an external server by sending a blank email to smime-http@klink.name. You will be sent an email with a link to check whether HTTP requests have been received. Alexander Klink has published a specially crafted Word document, which will also attempt to phone home.