Certificate Validation Vulnerability In Multiple Microsoft Products

A vulnerability exists in Microsoft’s CryptoAPI that can let an attacker use digital certificates to spoof his or her identity.

Ken Pfeil

September 8, 2002

4 Min Read
ITPro Today logo in a gray background | ITPro Today

Reported September 5, 2002, byMicrosoft.

VERSIONS AFFECTED

 

·        Microsoft Windows XP

·        Microsoft Windows 2000

·        Microsoft Windows Me

·        Microsoft Windows NT 4.0, Terminal Server Edition

·        Microsoft Windows NT 4.0

·        Microsoft Windows 98 Second Edition

·        Microsoft Windows 98

·        Microsoft Office for Mac

·        Microsoft Internet Explorer for Mac

·        Microsoft Outlook Express for Mac

 

DESCRIPTION

 

A vulnerability exists inMicrosoft’s CryptoAPI that can let an attacker use digital certificates tospoof his or her identity. This vulnerability stems from a problem in the APIsthat construct and validate certificate chains—they don't check the basicconstraints field. The vulnerable APIs are

 

·        CertGetCertificateChain()

·        CertVerifyCertificateChainPolicy()

·        WinVerifyTrust()

 

The same type of vulnerability(unrelated to CryptoAPI) also applies to several products for the Macintosh.

 

An attacker can exploit thisvulnerability by

 

·        Setting up a Web site that poses as a different Web siteand "proves" its identity by establishing a Secure Sockets Layer (SSL)session as the legitimate Web site

·        Sending email signed using a digital certificate thatpurportedly belongs to a different user

·        Spoofing certificate-based authentication systems to gainentry as a highly privileged user

·        Digitally signing malware using an Authenticode certificatethat claims to have been issued to a company users might trust

 

VENDOR RESPONSE

 

Thevendor, Microsoft, has released SecurityBulletin MS02-050(Certificate Validation Flaw Could Enable Identity Spoofing) to address thisvulnerability and recommends that affected users apply the appropriate patchmentioned in the bulletin.

 

CREDIT

Discoveredby Microsoft.

Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like