Microsoft Updates Certificate Security Bulletin
- By Stephen Swoyer
- September 10, 2002
Microsoft Corp. on Monday released a Windows 2000-specific patch for a vulnerability the software giant disclosed last week involving the validation of digital certificates.
With the re-released security bulletin that patches Windows 2000, Microsoft has now patched Windows 98, Windows 98 Second Edition, Windows Me, Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows XP and Windows XP 64-bit Edition. Several Microsoft applications for the Mac, including three versions of Office, two versions of Internet Explorer and a version of Outlook Express have not yet been patched.
"Normally, Microsoft releases the patches for all affected products simultaneously, in order to provide a complete solution," Microsoft's newest bulletin states. "However, exploit code for htis issue has already been posted, and we are therefore releasing the patches as they become available, in order to allow customers to begin protecting their systems as quickly as possible."
The vulnerability occurs because of a flaw in the way that its cryptography application programming interface (CryptoAPI) validates X.509 digital certificates. CryptoAPI is supported in Windows NT 4.0, Windows 98, Windows 98 Second Edition, Windows 2000, Windows Me and Windows XP.
The same flaw, unrelated to CryptoAPI, is present in its Internet Explorer, Outlook Express and Office products for the Macintosh.
According to Microsoft, an attacker could exploit a flaw in the process by means of which CryptoAPI and the affected Macintosh applications construct and validate X.509 certificates to create a bogus digital certificate that's accepted as the genuine article by a vulnerable Windows or Macintosh system.
An attacker who successfully exploits this vulnerability could perform a variety of identity-spoofing attacks, Microsoft conceded. Potential attack scenarios include:
Spoofing a legitimate Web site to lure visitors into providing sensitive information, such as credit card number.
Spoofing of the digital signature of a legitimate user to send bogus e-mails
Passing a bogus digital certificate to a system to spoof the identity of a legitimate user on that system.
Digitally signing a dangerous program in the guise of a trustworthy user or company, in order to convince a user that it is safe to run it.
Although the software giant indicated that there are a number of factors that mitigate the scope of this vulnerability in different environments, it nonetheless assigned it a severity rating of “Critical” for all Internet servers, intranet servers and client systems running Windows. Macintosh systems with Internet Explorer, Outlook Express or Office installed are assessed with a “Moderate” rating.
Microsoft stressed that administrators should patch their systems immediately.
The updated bulletin is available here:
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.