VALIDATION PROCEDURE - Microsoft Security Bulletin - BEGIN PGP SIGNED MESSAGE

[JJ]

What is the procedure to validate the authenticity of a Microsoft Security
Bulletin from (e-mail address removed) its embedded PGP signature?

PGP 6.5.3 should be able to validate PGP 7.x & 8.x SIGNATURES right?

============
REF:

PGP Freeware 6.5.3 returns ...


*** PGP Signature Status: bad
*** Signer: Microsoft Security Response Center <[email protected]>
(Invalid)
*** Signed: 10/15/2003 2:50:08 PM
*** Verified: 10/15/2003 5:40:29 PM
*** BEGIN PGP VERIFIED MESSAGE ***

--------------------------------------------------------------------
Title: Microsoft Windows Security Bulletin Summary for October 2003
Issued: October 15, 2003
Version Number: 1.0
Bulletin: http://www.microsoft.com/technet/security/winoct03.asp
--------------------------------------------------------------------

....

--------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.

....

SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
--------------------------------------------------------------------



*** END PGP VERIFIED MESSAGE ***


*******************************************************************
....

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

....

============

This is after loading the http://www.microsoft.com/technet/security/MSRC.asc


NOTE:

Using PGPkeys.exe I even signed and changed the key properties to trusted
after confirming:

FP: 5E39 0633 D6B3 9788 F776 D980 AB7A 9432 for
ID: 0x3103F52B

============

 

[John K]

What's to validate ? It's virus

 

[Bill Sanderson]

You went a step further than I did--changing the key properties to trusted.
I did manage to verify the fingerprint, although I wasn't able to verify the
download from MIT!

I'm getting the same result you are, so we must be doing something
wrong--perhaps in using the older version. If this thread doesn't attract
someone who should know, like Michel Gallant, I'll see if I can find him or
someone else.

'course, maybe the other responder is right and it is a virus! (JOKE)

 

[MikeyD]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*** PGP Signature Status: bad

Means the file's been corrupted, probably. Get someone with 8.x to check
just in case it's a change in standards but I doubt it. See if it has
wrapped differently from what was intended.
There should be a line stating the hashing algorithm

*** Signer: Microsoft Security Response Center <[email protected]>
(Invalid)

You shouldn't get this if you have signed the key, whether or not the
message is comprimised.

*** Signed: 10/15/2003 2:50:08 PM
*** Verified: 10/15/2003 5:40:29 PM
*** BEGIN PGP VERIFIED MESSAGE ***

Could you post the original? And I'll see if it decrypts with my version.

-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.hn.org/drno/pgp.shtml

iQA/AwUBP5AULrHlcSptAz1hEQLaNwCg5nOTJ8SIMdj3rpq02jXn/Xr1utcAn3pf
7o+xSEouo2CVxGu6y4G0dDmT
=TQgn
-----END PGP SIGNATURE-----

 

[David Ross]

As others have already noted, the "Invalid" merely means you did
not sign your copy of Micro$oft's public key. You validate a key
by signing it.

I can think of three reasons why you get "PGP Signature Status:
bad". Technically, all of them are equivalent although they
differ operationally.

1. Line wrapping occurred in the sender's E-mail client after the
message was signed. PGP and compatible encryption software wraps
the lines before signing. If the E-mail client forces an even
shorter line-length and wraps again, signature verification will
fail.

2. Appropriate MIME-compliant character translations between
unlike platforms did not occur. For example, PGP assumes that all
end-of-lines are represented by CR-LF, which is the standard PC
representation; PGP assumes this even for messages signed or
verified on a UNIX host, where end-of-lines are represented by
only LF. Any necessary translation occurs for PGP when the
message is temporarily converted to ASCII-armored before signing.
The actual message remains in plain-text and thus depends upon the
E-mail clients -- sending and receiving -- to make any
translations for unlike hosts. If such translations do not occur
correctly (or do not occur at all), the ASCII-armored conversion
during verification might not match the conversion during
signing.

3. The message might be a forgery. A hacker or virus might be
sending these messages after copying the signature from a valid
Micro$oft message. I often see this on certain newgroups during
flame wars.

In technical terms, all three mean that a non-standard change
occurred in the message after it was signed.

Note that I do not receive Micro$oft security bulletins. Most of
them deal with problems in Internet Explorer, Outlook (or its
various clones), or M$ server products. I use none of those. I
use Eudora Lite 3.0.6 (old) for E-mail, Mozilla 1.5 (new this
week) as my Web browser, and Netscape 4.79 (old but not as old as
my Eudora) for my newsgroup browser. While these do interface
with each other, the interfaces are sufficiently weak that I
minimize the risk of spreading viruses to others. IE and Outlook
have such strong interfaces with each other (and with Windows and
Office) that they constitute the primary vehicle for spreading
viruses, thus making the security bulletins necessary.

What is the procedure to validate the authenticity of a Microsoft Security
Bulletin from (e-mail address removed) its embedded PGP signature?

PGP 6.5.3 should be able to validate PGP 7.x & 8.x SIGNATURES right?

============
REF:

PGP Freeware 6.5.3 returns ...

*** PGP Signature Status: bad
*** Signer: Microsoft Security Response Center <[email protected]>
(Invalid)
*** Signed: 10/15/2003 2:50:08 PM
*** Verified: 10/15/2003 5:40:29 PM
*** BEGIN PGP VERIFIED MESSAGE ***

--------------------------------------------------------------------
Title: Microsoft Windows Security Bulletin Summary for October 2003
Issued: October 15, 2003
Version Number: 1.0
Bulletin: http://www.microsoft.com/technet/security/winoct03.asp
--------------------------------------------------------------------

...

--------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.

...

SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
--------------------------------------------------------------------

*** END PGP VERIFIED MESSAGE ***

*******************************************************************
...

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

...

============

This is after loading the http://www.microsoft.com/technet/security/MSRC.asc

NOTE:

Using PGPkeys.exe I even signed and changed the key properties to trusted
after confirming:

FP: 5E39 0633 D6B3 9788 F776 D980 AB7A 9432 for
ID: 0x3103F52B

============

--

David E. Ross
<http://www.rossde.com/>

Concerned about someone snooping into your E-mail?
Use PGP. See my <http://www.rossde.com/PGP/>