Reported August 28, 2002, by Microsoft.
VERSIONS AFFECTED
· Windows XP
· Windows 2000
· Windows NT 4.0
· Windows Me
· Windows 98 Second Edition (Win98SE)
· Windows 98
DESCRIPTION
A vulnerability exists in all versions of Microsoft Windows that could allow a potential attacker to delete digital certificates located on a vulnerable system. This vulnerability results from a flaw in the Certificate Enrollment Control (CEC) ActiveX control that Windows uses to submit and store PKCS #10-compliant certificate requests in the user’s local certificate store. An attacker who successfully exploits the vulnerability could corrupt trusted root certificates, Encrypting File System (EFS) encryption certificates, email-signing certificates, and any other certificates on the vulnerable system.
VENDOR RESPONSE
The vendor, Microsoft, has released Security Bulletin MS02-048 to address this vulnerability and recommends that affected users immediately download and apply the patch that the bulletin mentions.
CREDIT
Discovered by Microsoft.