Certificate Validation Vulnerability In Multiple Microsoft Products

Reported September 5, 2002, by Microsoft.

VERSIONS AFFECTED

 

·         Microsoft Windows XP

·         Microsoft Windows 2000

·         Microsoft Windows Me

·         Microsoft Windows NT 4.0, Terminal Server Edition

·         Microsoft Windows NT 4.0

·         Microsoft Windows 98 Second Edition

·         Microsoft Windows 98

·         Microsoft Office for Mac

·         Microsoft Internet Explorer for Mac

·         Microsoft Outlook Express for Mac

 

DESCRIPTION

 

A vulnerability exists in Microsoft’s CryptoAPI that can let an attacker use digital certificates to spoof his or her identity. This vulnerability stems from a problem in the APIs that construct and validate certificate chains—they don't check the basic constraints field. The vulnerable APIs are

 

·         CertGetCertificateChain()

·         CertVerifyCertificateChainPolicy()

·         WinVerifyTrust()

 

The same type of vulnerability (unrelated to CryptoAPI) also applies to several products for the Macintosh.

 

An attacker can exploit this vulnerability by

 

·         Setting up a Web site that poses as a different Web site and "proves" its identity by establishing a Secure Sockets Layer (SSL) session as the legitimate Web site

·         Sending email signed using a digital certificate that purportedly belongs to a different user

·         Spoofing certificate-based authentication systems to gain entry as a highly privileged user

·         Digitally signing malware using an Authenticode certificate that claims to have been issued to a company users might trust

 

VENDOR RESPONSE

 

The vendor, Microsoft, has released Security Bulletin MS02-050 (Certificate Validation Flaw Could Enable Identity Spoofing) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin.

 

CREDIT

Discovered by Microsoft.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish