Reported September 5, 2002, by Microsoft.
VERSIONS AFFECTED
· Microsoft Windows XP
· Microsoft Windows 2000
· Microsoft Windows Me
· Microsoft Windows NT 4.0, Terminal Server Edition
· Microsoft Windows NT 4.0
· Microsoft Windows 98 Second Edition
· Microsoft Windows 98
· Microsoft Office for Mac
· Microsoft Internet Explorer for Mac
· Microsoft Outlook Express for Mac
DESCRIPTION
A vulnerability exists in Microsoft’s CryptoAPI that can let an attacker use digital certificates to spoof his or her identity. This vulnerability stems from a problem in the APIs that construct and validate certificate chains—they don't check the basic constraints field. The vulnerable APIs are
· CertGetCertificateChain()
· CertVerifyCertificateChainPolicy()
· WinVerifyTrust()
The same type of vulnerability (unrelated to CryptoAPI) also applies to several products for the Macintosh.
An attacker can exploit this vulnerability by
· Setting up a Web site that poses as a different Web site and "proves" its identity by establishing a Secure Sockets Layer (SSL) session as the legitimate Web site
· Sending email signed using a digital certificate that purportedly belongs to a different user
· Spoofing certificate-based authentication systems to gain entry as a highly privileged user
· Digitally signing malware using an Authenticode certificate that claims to have been issued to a company users might trust
VENDOR RESPONSE
The vendor, Microsoft, has released Security Bulletin MS02-050 (Certificate Validation Flaw Could Enable Identity Spoofing) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin.
CREDIT
Discovered by Microsoft.
