Results 1 to 2 of 2

Thread: certificate enrollment flaw

  1. #1
    Senior Member
    Join Date
    May 2002

    Post certificate enrollment flaw

    Another flaw in microsoft... this one may interst m$ users.

    - ----------------------------------------------------------------------
    Title: Flaw in Certificate Enrollment Control Could Allow
    Deletion of Digital Certificates (Q323172)
    Date: 28 August 2002
    Software: Microsoft Windows 98
    Microsoft Windows 98 Second Edition
    Microsoft Windows Millennium
    Microsoft Windows NT 4.0
    Microsoft Windows 2000
    Microsoft Windows XP
    Impact: Denial of service
    Max Risk: Critical
    Bulletin: MS02-048

    Microsoft encourages customers to review the Security Bulletin at:
    - ----------------------------------------------------------------------

    All versions of Windows ship with an ActiveX control known as the
    Certificate Enrollment Control, the purpose of which is to allow
    web-based certificate enrollments. The control is used to submit PKCS
    #10 compliant certificate requests, and upon receiving the requested
    certificate, stores it in the user's local certificate store.

    The control contains a flaw that could enable a web page, through
    an extremely complex process, to invoke the control in a way that
    would delete certificates on a user's system. An attacker who
    successfully exploited the vulnerability could corrupt trusted root
    certificates, EFS encryption certificates, email signing
    and any other certificates on the system, thereby preventing the user
    from using these features.

    An attack could be carried out through either of two scenarios. The
    attacker could create a web page the that exploits the vulnerability,
    and host it on a web site in order to attack users who visited the
    site. The attacker also could send the page as an HTML mail in order
    to attack the recipient.

    A new version of the control is available that corrects the
    vulnerability, and can be installed via the patch. A patch is
    available for all other Windows systems, as discussed in the Patch
    Availability section below. Internet Explorer 5 or later is a
    prerequisite to installing the patch. As discussed in the Caveats
    section, customers who operate web sites that use the Certificate
    Enrollment Control will need to make minor revisions to their web
    applications in order to use the new control. Microsoft Knowledge
    Base article Q323172 details how to do this.

    In addition, the patch addresses a similar, but less serious
    vulnerability discovered in the SmartCard Enrollment control.
    This control ships with Windows 2000 and Windows XP. A new version
    of this control is also provided.

    Mitigating Factors:
    - - The web site-based attack vector could not be exploited if ActiveX
    controls were disabled in the Security Zone associated with the
    attacker's site.
    - - The mail-based attack vector could not be exploited if the
    recipient's email client handles HTML mail in the Restricted Sites
    Zone. Outlook Express 6 and Outlook 2002 open mail in this zone by
    default. Outlook 98 and 2000 open HTML mail in the Restricted Sites
    Zone if the Outlook Email Security Update has been installed.
    - - The vulnerability would not enable certificates on smart cards to
    be corrupted, even if the smart card were in the system at the time
    of an attack.

    Risk Rating:
    - Internet systems: Low
    - Intranet systems: Low
    - Client systems: Critical

    Patch Availability:
    - A patch is available to fix this vulnerability. Please read the
    Security Bulletin at
    for information on obtaining this patch.

    - ---------------------------------------------------------------------
    just like water off a duck\'s back... I AM HERE.

    for CMOS help, check out my CMOS tut?

  2. #2
    Senior Member
    Join Date
    Aug 2001
    I got this email this morning too.

    It's looking pretty bad for Microsofts new "focus" on security. In the past few weeks we have had a major SSL vulnerability from their browser, that turned out NOT to be the browsers problem but in all actuality the CryptoAPI that the OS uses. This is followed up by the possibility that IE could have it's certificates deleted... not good at all.

    This is even MORE reason to leave the MS browser world and get on to something like Mozilla or Opera. This also makes a much stronger case to move over to an alternative OS for business workstations.

    El Diablo
    well at least I have a job because of Microsoft

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts