hebig.org/blog

Digital signatures can easily be forged and therefore can't be trusted in Outlook because of the same certificate chaining issue plaguing Internet Explorer:

"Outlook's S/MIME implementation is vulnerable to the certificate chain spoofing attack, despite Microsoft's claim that IE is the only affected application. The vulnerability allows anyone to forge the digital signature on an email that is to be viewed with Outlook. No warnings are given, no dialogs are shown. As it stands, there is virtually no difference between signed and unsigned email in Outlook. Unless carefully inspected, signed email in Outlook is essentially meaningless. This also applies to any signed email received over the past 5+ years." SecurityFocus Posting by Mike Benham.

"Briefly, an attacker would sign an untrusted cert with a trusted, intermediate one. Of course, just because the cert doing the signing is trusted, that's no reason why its offspring should be. Unfortunately, neither IE nor Outlook check basic constraints, and for this reason the end user is never warned that the certificate chain is questionable." TheRegister report

Earlier, Mike Benham discovered the certificate chaining issue in various SSL implementation and now he "encourages everyone to send Bill Gates an email from himself". Microsoft is the only company that has not fixed the SSL bug yet. Opera Software and the KDE/Konquerer team reacted within day, while Microsoft tries to whitewash the affair saying that the bug is harmless, despite of a handy exploit available (see below). Mozilla is not effected.

Details on the Microsoft SSL vulnerability can be found here and here. In new version 0.4, Mike Benhams sslsniff exploit, "a simple tool that will allow for undetected hijacking of IE SSL sessions, even on a switched network (Man In The Middle attack)" now comes with a valid CA-signed certificate and key.