News

Patch Posted for Critical Vulnerability Involving Certificates in Windows

Microsoft alerted users early Thursday to a critical vulnerability involving an ActiveX control that ships in all supported Windows clients. A patch is available.

The ActiveX control, known as the Certificate Enrollment Control, is for allowing Web-based certificate enrollments. Specifically, the control submits PKCS #10 compliant certificate requests. When it receives the requested certificate, the control stores it in the user's local certificate store.

"An attacker who successfully exploited the vulnerability could corrupt trusted root certificates, EFS encryption certificates, e-mail signing certificates, and any other certificates on the system, thereby preventing the user from using these features," Microsoft warned.

A patch replaces the ActiveX control with one that does not contain the flaw. It also replaces the SmartCard Enrollment control, which ships with Windows 2000 and Windows XP and contains a similar vulnerability that is less serious.

There are two ways an attacker could exploit the critical flaw. The attacker could lure users to a Web page on a site that exploits the vulnerability. Or the attacker could send the page as an HTML e-mail.

Exploiting the flaw is "an extremely complex process," Microsoft asserts. The company lists several mitigating factors. Users are immune to the Web site-based attack vector if ActiveX controls are disabled in the Internet Explorer Security Zone associated with the attacker's site. Outlook 2002 and Outlook Express 6 open HTML e-mail in the Restricted Sites Zone by default. Outlook 98 and Outlook 2000 also open HTML e-mail in the Restricted Sites Zone if users have installed the Outlook E-mail Security Update.

The critical vulnerability affects Windows 98, Windows 98 Second Edition, Windows Millennium, Windows NT 4.0, Windows 2000 and Windows XP. Microsoft categorizes the impact as a denial of service.

For more information, see Microsoft's security bulletin:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-048.asp.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.