Microsoft Updates Certificate Security Bulletin

Microsoft Corp. on Monday released a Windows 2000-specific patch for a vulnerability the software giant disclosed last week involving the validation of digital certificates.

With the re-released security bulletin that patches Windows 2000, Microsoft has now patched Windows 98, Windows 98 Second Edition, Windows Me, Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows XP and Windows XP 64-bit Edition. Several Microsoft applications for the Mac, including three versions of Office, two versions of Internet Explorer and a version of Outlook Express have not yet been patched.

"Normally, Microsoft releases the patches for all affected products simultaneously, in order to provide a complete solution," Microsoft's newest bulletin states. "However, exploit code for htis issue has already been posted, and we are therefore releasing the patches as they become available, in order to allow customers to begin protecting their systems as quickly as possible."

The vulnerability occurs because of a flaw in the way that its cryptography application programming interface (CryptoAPI) validates X.509 digital certificates. CryptoAPI is supported in Windows NT 4.0, Windows 98, Windows 98 Second Edition, Windows 2000, Windows Me and Windows XP.

The same flaw, unrelated to CryptoAPI, is present in its Internet Explorer, Outlook Express and Office products for the Macintosh.

According to Microsoft, an attacker could exploit a flaw in the process by means of which CryptoAPI and the affected Macintosh applications construct and validate X.509 certificates to create a bogus digital certificate that's accepted as the genuine article by a vulnerable Windows or Macintosh system.

An attacker who successfully exploits this vulnerability could perform a variety of identity-spoofing attacks, Microsoft conceded. Potential attack scenarios include:

  • Spoofing a legitimate Web site to lure visitors into providing sensitive information, such as credit card number.
  • Spoofing of the digital signature of a legitimate user to send bogus e-mails Passing a bogus digital certificate to a system to spoof the identity of a legitimate user on that system.
  • Digitally signing a dangerous program in the guise of a trustworthy user or company, in order to convince a user that it is safe to run it.

    Although the software giant indicated that there are a number of factors that mitigate the scope of this vulnerability in different environments, it nonetheless assigned it a severity rating of “Critical” for all Internet servers, intranet servers and client systems running Windows. Macintosh systems with Internet Explorer, Outlook Express or Office installed are assessed with a “Moderate” rating.

    Microsoft stressed that administrators should patch their systems immediately.

    The updated bulletin is available here:

  • About the Author

    Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


    • Basic Authentication Extended to 2H 2021 for Exchange Online Users

      Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

    • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

      Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

    • Azure Edge Zones Hit Preview

      Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

    • Microsoft Shifts 2020 Events To Be Online Only

      Microsoft is shifting its big events this year to be online only, including Ignite 2020.

    comments powered by Disqus

    Office 365 Watch

    Sign up for our newsletter.

    Terms and Privacy Policy consent

    I agree to this site's Privacy Policy.