Hi All,

As usual the Microsoft Security Bulletins have been released, nothing new here but I wanted to draw your attention to MS09-007

March advisories - http://www.microsoft.com/technet/sec.../ms09-mar.mspx
MS09-007 - http://www.microsoft.com/technet/sec.../MS09-007.mspx

<Quote>A spoofing vulnerability exists in the Microsoft Windows SChannel authentication component when using certificate based authentication. An attacker who successfully exploited this vulnerability would be able to authenticate to a server using only an authorized user’s digital certificate and without the associated private key.</Quote>

Ummm, doesn't this defeat the whole purpose of certificate based authentication, so now if I am using "strong" certificate based authentication on Microsoft Windows (without the process and certificates being integrated with AD as this channel is supposedly not vulnerable) then if some user in my domain exploited this vulnerability they could represent themselves as any other user if you assume that public keys are in fact public, like they are supposed to be. Doesn't this render the certificate based authentication at least as weak, and probably weaker, then password based authentication.......

This has only been rated as "Important" by Microsoft!!!

ISC/SANS have rated it critical, I would have thought that for those using this technology then that is appropriate.