News

Microsoft Updates Certificate Security Bulletin

Microsoft Corp. on Monday released a Windows 2000-specific patch for a vulnerability the software giant disclosed last week involving the validation of digital certificates.

With the re-released security bulletin that patches Windows 2000, Microsoft has now patched Windows 98, Windows 98 Second Edition, Windows Me, Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows XP and Windows XP 64-bit Edition. Several Microsoft applications for the Mac, including three versions of Office, two versions of Internet Explorer and a version of Outlook Express have not yet been patched.

"Normally, Microsoft releases the patches for all affected products simultaneously, in order to provide a complete solution," Microsoft's newest bulletin states. "However, exploit code for htis issue has already been posted, and we are therefore releasing the patches as they become available, in order to allow customers to begin protecting their systems as quickly as possible."

The vulnerability occurs because of a flaw in the way that its cryptography application programming interface (CryptoAPI) validates X.509 digital certificates. CryptoAPI is supported in Windows NT 4.0, Windows 98, Windows 98 Second Edition, Windows 2000, Windows Me and Windows XP.

The same flaw, unrelated to CryptoAPI, is present in its Internet Explorer, Outlook Express and Office products for the Macintosh.

According to Microsoft, an attacker could exploit a flaw in the process by means of which CryptoAPI and the affected Macintosh applications construct and validate X.509 certificates to create a bogus digital certificate that's accepted as the genuine article by a vulnerable Windows or Macintosh system.

An attacker who successfully exploits this vulnerability could perform a variety of identity-spoofing attacks, Microsoft conceded. Potential attack scenarios include:

  • Spoofing a legitimate Web site to lure visitors into providing sensitive information, such as credit card number.
  • Spoofing of the digital signature of a legitimate user to send bogus e-mails Passing a bogus digital certificate to a system to spoof the identity of a legitimate user on that system.
  • Digitally signing a dangerous program in the guise of a trustworthy user or company, in order to convince a user that it is safe to run it.

    Although the software giant indicated that there are a number of factors that mitigate the scope of this vulnerability in different environments, it nonetheless assigned it a severity rating of “Critical” for all Internet servers, intranet servers and client systems running Windows. Macintosh systems with Internet Explorer, Outlook Express or Office installed are assessed with a “Moderate” rating.

    Microsoft stressed that administrators should patch their systems immediately.

    The updated bulletin is available here:
    www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-050.asp.

  • About the Author

    Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

    Featured

    • How To Enable Guest Access for Office 365

      While it's possible to give outside users access to certain content in your organization's Office 365 environment, the process of setting them up requires a few extra steps.

    • Microsoft Now Supports OpenSSH in Windows Server 2019

      Microsoft announced on Tuesday that the OpenSSH solution used for remote management is now a supported "Features on Demand" addition in both Windows 10 version 1809 and Windows Server 2019.

    • Microsoft's December Security Patches Includes Fixes for Two Active Exploits

      Microsoft ended the patch year on Tuesday with a whimper of sorts, releasing an estimated 39 security fixes in its December bundle plus one security advisory, according to a count by Trend Micro's Zero Day Initiative.

    • Microsoft Edge Browser To Get New Rendering Engine but EdgeHTML Continues

      Microsoft isn't exactly killing off its EdgeHTML rendering engine, even after declaring plans to use Chromium open source technologies in its Edge browser.

    comments powered by Disqus
    Most   Popular

    Office 365 Watch

    Sign up for our newsletter.

    Terms and Privacy Policy consent

    I agree to this site's Privacy Policy.