Certificate Validation Vulnerability In Multiple Microsoft Products
A vulnerability exists in Microsoft’s CryptoAPI that can let an attacker use digital certificates to spoof his or her identity.
September 8, 2002
Reported September 5, 2002, byMicrosoft.
VERSIONS AFFECTED
· Microsoft Windows XP
· Microsoft Windows 2000
· Microsoft Windows Me
· Microsoft Windows NT 4.0, Terminal Server Edition
· Microsoft Windows NT 4.0
· Microsoft Windows 98 Second Edition
· Microsoft Windows 98
· Microsoft Office for Mac
· Microsoft Internet Explorer for Mac
· Microsoft Outlook Express for Mac
DESCRIPTION
A vulnerability exists inMicrosoft’s CryptoAPI that can let an attacker use digital certificates tospoof his or her identity. This vulnerability stems from a problem in the APIsthat construct and validate certificate chains—they don't check the basicconstraints field. The vulnerable APIs are
· CertGetCertificateChain()
· CertVerifyCertificateChainPolicy()
· WinVerifyTrust()
The same type of vulnerability(unrelated to CryptoAPI) also applies to several products for the Macintosh.
An attacker can exploit thisvulnerability by
· Setting up a Web site that poses as a different Web siteand "proves" its identity by establishing a Secure Sockets Layer (SSL)session as the legitimate Web site
· Sending email signed using a digital certificate thatpurportedly belongs to a different user
· Spoofing certificate-based authentication systems to gainentry as a highly privileged user
· Digitally signing malware using an Authenticode certificatethat claims to have been issued to a company users might trust
VENDOR RESPONSE
Thevendor, Microsoft, has released SecurityBulletin MS02-050(Certificate Validation Flaw Could Enable Identity Spoofing) to address thisvulnerability and recommends that affected users apply the appropriate patchmentioned in the bulletin.
CREDIT
Discoveredby Microsoft.
Read more about:
MicrosoftAbout the Author
You May Also Like