Certificate Validation Vulnerability In Multiple Microsoft Products

Reported September 5, 2002, by Microsoft.



·         Microsoft Windows XP

·         Microsoft Windows 2000

·         Microsoft Windows Me

·         Microsoft Windows NT 4.0, Terminal Server Edition

·         Microsoft Windows NT 4.0

·         Microsoft Windows 98 Second Edition

·         Microsoft Windows 98

·         Microsoft Office for Mac

·         Microsoft Internet Explorer for Mac

·         Microsoft Outlook Express for Mac




A vulnerability exists in Microsoft’s CryptoAPI that can let an attacker use digital certificates to spoof his or her identity. This vulnerability stems from a problem in the APIs that construct and validate certificate chains—they don't check the basic constraints field. The vulnerable APIs are


·         CertGetCertificateChain()

·         CertVerifyCertificateChainPolicy()

·         WinVerifyTrust()


The same type of vulnerability (unrelated to CryptoAPI) also applies to several products for the Macintosh.


An attacker can exploit this vulnerability by


·         Setting up a Web site that poses as a different Web site and "proves" its identity by establishing a Secure Sockets Layer (SSL) session as the legitimate Web site

·         Sending email signed using a digital certificate that purportedly belongs to a different user

·         Spoofing certificate-based authentication systems to gain entry as a highly privileged user

·         Digitally signing malware using an Authenticode certificate that claims to have been issued to a company users might trust




The vendor, Microsoft, has released Security Bulletin MS02-050 (Certificate Validation Flaw Could Enable Identity Spoofing) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin.



Discovered by Microsoft.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.