Certificate Validation Vulnerability In Multiple Microsoft Products

Reported September 5, 2002, byMicrosoft.

VERSIONS AFFECTED

·        Microsoft Windows XP

·        Microsoft Windows 2000

·        Microsoft Windows Me

·        Microsoft Windows NT 4.0, Terminal Server Edition

·        Microsoft Windows NT 4.0

·        Microsoft Windows 98 Second Edition

·        Microsoft Windows 98

·        Microsoft Office for Mac

·        Microsoft Internet Explorer for Mac

·        Microsoft Outlook Express for Mac

DESCRIPTION

A vulnerability exists inMicrosoft’s CryptoAPI that can let an attacker use digital certificates tospoof his or her identity. This vulnerability stems from a problem in the APIsthat construct and validate certificate chains—they don't check the basicconstraints field. The vulnerable APIs are

·        CertGetCertificateChain()

·        CertVerifyCertificateChainPolicy()

·        WinVerifyTrust()

The same type of vulnerability(unrelated to CryptoAPI) also applies to several products for the Macintosh.

An attacker can exploit thisvulnerability by

·        Setting up a Web site that poses as a different Web siteand "proves" its identity by establishing a Secure Sockets Layer (SSL)session as the legitimate Web site

·        Sending email signed using a digital certificate thatpurportedly belongs to a different user

·        Spoofing certificate-based authentication systems to gainentry as a highly privileged user

·        Digitally signing malware using an Authenticode certificatethat claims to have been issued to a company users might trust

VENDOR RESPONSE

Thevendor, Microsoft, has released SecurityBulletin MS02-050(Certificate Validation Flaw Could Enable Identity Spoofing) to address thisvulnerability and recommends that affected users apply the appropriate patchmentioned in the bulletin.

CREDIT

Discoveredby Microsoft.