Published:2004/11/17 Last Updated:2008/05/21
JVN#7C9208F1
Becky! Internet Mail vulnerability in S/MIME signature verification
Overview
Becky! Internet Mail contains the following vulnerabilities in the S/MIME signature verification:
- S/MIME signature verification does not verify the certification path.
- S/MIME signature verification does not verify the certification expiration date.
Products Affected
- Versions earlier than Becky! S/MIME plug-in Ver.1.03
Description
Impact
Even if a recipient receives an email message signed with an S/MIME signature containing a certificate forging an arbitrary email address signed by a self-signed certificate, the recipient may not notice that it is a forged email.
Solution
References
JPCERT/CC Addendum
Credit
Hiromitsu Takagi reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE | |
| JVN iPedia |
JVNDB-2004-000590 |