Spyware Doctor
Spyware Doctor with AntiVirus
PC Tools AntiVirus
PC Tools Internet Security
PC Tools Firewall Plus
ThreatFire
Spam Monitor
Registry Mechanic
Desktop Maestro
File Recover
Privacy Guardian
Spyware Doctor Enterprise
Help me choose
Certificate Validation Flaw Could Enable Identity Spoofing New
A critical security flaw in the certificate processing of Microsoft Windows, Office for Mac, Internet Explorer for Mac and Outlook Express for Mac could enable a variety of identity spoofing attacks.
Issue
The IETF Profile of the X.509 certificate standard defines several optional fields that can be included in a digital certificate. One of these is the Basic Constraints field, which indicates the maximum allowable length of the certificate’s chain and whether the certificate is a Certificate Authority or an end-entity certificate. However, the APIs within CryptoAPI that construct and validate certificate chains (CertGetCertificateChain(), CertVerifyCertificateChainPolicy(), and WinVerifyTrust()) do not check the Basic Constraints field. The same flaw, unrelated to CryptoAPI, is also present in several Microsoft products for Macintosh.
The vulnerability could enable an attacker who had a valid end-entity certificate to issue a subordinate certificate that, although bogus, would nevertheless pass validation. Because CryptoAPI is used by a wide range of applications, this could enable a variety of identity spoofing attacks. Including:
- Setting up a web site that poses as a different web site, and "proving" its identity by establishing an SSL session as the legitimate web site.
- Sending emails signed using a digital certificate that purportedly belongs to a different user.
- Spoofing certificate-based authentication systems to gain entry as a highly privileged user.
- Digitally signing malware using an Authenticode certificate that claims to have been issued to a company users might trust.
Affected Products
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
- Microsoft Windows Me
- Microsoft Windows NT® 4.0
- Microsoft Windows NT 4.0, Terminal Server Edition
- Microsoft Windows 2000
- Microsoft Windows XP
- Microsoft Office for Mac
- Microsoft Internet Explorer for Mac
- Microsoft Outlook Express for Mac
Download
Software patches are available from the following locations:
- Microsoft Windows 98
- Microsoft Windows Me
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0, Terminal Server Edition
- Microsoft Windows XP
Further Details
Source: Microsoft Corporation
Reference: Microsoft Corporation
Updated: September 5, 2002
>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<
