Reported September 5, 2002, by Microsoft.
· Microsoft Windows XP
· Microsoft Windows 2000
· Microsoft Windows Me
· Microsoft Windows NT 4.0, Terminal Server Edition
· Microsoft Windows NT 4.0
· Microsoft Windows 98 Second Edition
· Microsoft Windows 98
· Microsoft Office for Mac
· Microsoft Internet Explorer for Mac
· Microsoft Outlook Express for Mac
A vulnerability exists in Microsoft’s CryptoAPI that can let an attacker use digital certificates to spoof his or her identity. This vulnerability stems from a problem in the APIs that construct and validate certificate chains—they don't check the basic constraints field. The vulnerable APIs are
The same type of vulnerability (unrelated to CryptoAPI) also applies to several products for the Macintosh.
An attacker can exploit this vulnerability by
· Setting up a Web site that poses as a different Web site and "proves" its identity by establishing a Secure Sockets Layer (SSL) session as the legitimate Web site
· Sending email signed using a digital certificate that purportedly belongs to a different user
· Spoofing certificate-based authentication systems to gain entry as a highly privileged user
· Digitally signing malware using an Authenticode certificate that claims to have been issued to a company users might trust
The vendor, Microsoft, has released Security Bulletin MS02-050 (Certificate Validation Flaw Could Enable Identity Spoofing) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin.
Discovered by Microsoft.