Microsoft Knowledge Base Article - Q328145
 

MS02-050: Certificate Validation Flaw May Permit Identity Spoofing

The information in this article applies to:
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP 64-Bit Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows NT Server, Enterprise Edition 4.0
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Server4.0, Terminal Server Edition
  • Microsoft Windows Millennium Edition
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows 98
  • Microsoft Office v. X for Mac
  • Microsoft Office 2001 for Mac
  • Microsoft Office 98 Macintosh Edition
  • Microsoft Internet Explorer 4.01 for Macintosh
  • Microsoft Internet Explorer 4.5 for Macintosh
  • Microsoft Internet Explorer 5.0 for Macintosh
  • Microsoft Outlook Express 5.0 for Macintosh

SYMPTOMS

The Internet Engineering Task Force (IETF) profile of the X.509 certificate standard defines several optional fields that can be included in a digital certificate. One of these is the Basic Constraints field, which indicates the maximum permitted length of the certificate's chain and whether the certificate is a certification authority (CA) or an end-entity certificate. However, the functions in CryptoAPI that construct and validate certificate chains ( CertGetCertificateChain, CertVerifyCertificateChainPolicy, and WinVerityTrust) do not check the Basic Constraints field. A similar flaw, unrelated to CryptoAPI, is also present in several Microsoft products for Macintosh.

This vulnerability might permit an attacker who has a valid end-entity certificate to issue a bogus subordinate certificate that passes validation. Because CryptoAPI is used by many programs, this might permit a variety of identity spoofing attacks. These attacks might include:
  • Setting up a Web site that poses as a different Web site, and "proves" its identity by setting up a Secure Sockets Layer (SSL) session as the legitimate Web site.
  • Sending e-mail messages that are signed by using a digital certificate that purportedly belongs to a different user.
  • Spoofing certificate-based authentication systems to gain entry as a highly privileged user.
  • Digitally signing malicious software by using an Authenticode certificate that claims to have been issued to a company that users might trust.
For more information about this vulnerability, visit the following Microsoft Web site:

RESOLUTION

For more information about how to resolve this vulnerability, click any of the following links:

Windows XP (All Versions)

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Windows XP service pack that contains this fix.

To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site: NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following file is available for download from the Microsoft Download Center:

Release Date: September 4, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
    Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

You must restart your computer after you apply this update. This update supports the following Setup switches:
  • -?: Display the list of installation switches.
  • -u: Unattended mode.
  • -f: Force other programs to quit when the computer shuts down.
  • -n: Do not back up files for removal.
  • -o: Overwrite OEM files without prompting.
  • -z: Do not restart when installation is complete.
  • -q: Quiet mode (no user interaction).
  • -l: List installed hotfixes.
  • -x Extracts the files without running Setup.
For example, to install the update without any user intervention, and then not to force the computer to restart, use the following command line:
    filename -u -q -z
WARNING: Your computer is vulnerable until you restart it.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (also known as Universal Time Coordinate [UTC]). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP Home Edition and Professional:
 Date         Time   Version          Size     Path and file name
 ---------------------------------------------------------------------------
 30-Aug-2002  16:07  5.131.2600.1120  544,256  %Windir%\System32\Crypt32.dll
Windows XP 64-Bit Edition:
 Date         Time   Version          Size       Path and file name
 ------------------------------------------------------------------------------
 30-Aug-2002  16:07  5.131.2600.1120  1,920,512  %Windir%\System32\Crypt32.dll
 29-Aug-2002  14:20  5.131.2600.1120    544,256  %Windir%\SysWOW64\Wcrypt32.dll

back to the top

Windows 2000 (All Versions)

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Windows 2000 service pack that contains this fix.

To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site: NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following file is available for download from the Microsoft Download Center:
Release Date: September 10, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
    Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

You must restart your computer after you apply this update. This update supports the following Setup switches:
  • -?: Display the list of installation switches.
  • -u: Unattended mode.
  • -f: Force other programs to quit when the computer shuts down.
  • -n: Do not back up files for removal.
  • -o: Overwrite OEM files without prompting.
  • -z: Do not restart when installation is complete.
  • -q: Quiet mode (no user interaction).
  • -l: List installed hotfixes.
  • -x: Extracts the files without running Setup.
For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:
    filename -u -q -z
WARNING: Your computer is vulnerable until you restart it.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
 Date         Time   Version          Size     Path and file name
 ----------------------------------------------------------------------------
 26-Aug-2002  16:45  5.0.2195.5781    123,664  %Windir%\System32\Adsldp.dll
 26-Aug-2002  16:45  5.0.2195.5781    131,344  %Windir%\System32\Adsldpc.dll
 26-Aug-2002  16:45  5.0.2195.5781     62,736  %Windir%\System32\Adsmsext.dll
 26-Aug-2002  16:45  5.0.2195.5992    358,160  %Windir%\System32\Advapi32.dll
 26-Aug-2002  16:45  5.0.2195.5265     42,256  %Windir%\System32\Basesrv.dll
 26-Aug-2002  16:45  5.0.2195.5855     49,424  Windir%\System32\Browser.dll
 26-Aug-2002  16:45  5.131.2195.6021  468,240  %Windir%\System32\Crypt32.dll
 26-Aug-2002  16:45  5.0.2195.6012    135,952  %Windir%\System32\Dnsapi.dll
 26-Aug-2002  16:45  5.0.2195.6012     96,016  %Windir%\System32\Dnsrslvr.dll
 26-Aug-2002  16:45  5.0.2195.5722     45,328  %Windir%\System32\Eventlog.dll
 26-Aug-2002  16:45  5.0.2195.5907    222,992  %Windir%\System32\Gdi32.dll
 26-Aug-2002  16:45  5.0.2195.5859    145,680  %Windir%\System32\Kdcsvc.dll
 04-Jun-2002  21:31  5.0.2195.5859    199,952  %Windir%\System32\Kerberos.dll
 26-Aug-2002  16:45  5.0.2195.6011    708,880  %Windir%\System32\Kernel32.dll
 21-Aug-2002  16:27  5.0.2195.6023     71,248  %Windir%\System32\Ksecdd.sys
 22-Jul-2002  23:54  5.0.2195.5960    507,152  %Windir%\System32\Lsasrv.dll
 22-Jul-2002  23:54  5.0.2195.5960     33,552  %Windir%\System32\Lsass.exe
 26-Aug-2002  16:45  5.0.2195.4733    332,560  %Windir%\System32\Msgina.dll
 13-Aug-2002  00:54  5.0.2195.6006    108,816  %Windir%\System32\Msv1_0.dll
 26-Aug-2002  16:45  5.0.2195.5979    307,472  %Windir%\System32\Netapi32.dll
 26-Aug-2002  16:45  5.0.2195.5966    360,720  %Windir%\System32\Netlogon.dll
 26-Aug-2002  16:45  5.0.2195.5979    916,752  %Windir%\System32\Ntdsa.dll
 26-Aug-2002  16:45  5.0.2195.5936    119,568  %Windir%\System32\Psbase.dll
 26-Aug-2002  16:45  5.0.2195.6025    389,392  %Windir%\System32\Samsrv.dll
 26-Aug-2002  16:45  5.0.2195.5951    129,296  %Windir%\System32\Scecli.dll
 26-Aug-2002  16:45  5.0.2195.5951    302,864  %Windir%\System32\Scesrv.dll
 26-Aug-2002  16:45  5.0.2195.6000    379,664  %Windir%\System32\User32.dll
 26-Aug-2002  16:45  5.0.2195.5968    369,936  %Windir%\System32\Userenv.dll
 26-Aug-2002  16:45  5.0.2195.5859     48,912  %Windir%\System32\W32time.dll
 04-Jun-2002  21:32  5.0.2195.5859     57,104  %Windir%\System32\W32tm.exe
 24-Aug-2002  18:50  5.0.2195.6028  1,642,416  %Windir%\System32\Win32k.sys
 15-Aug-2002  15:30  5.0.2195.6013    179,472  %Windir%\System32\Winlogon.exe
 26-Aug-2002  16:45  5.0.2195.5935    243,472  %Windir%\System32\Winsrv.dll
 26-Aug-2002  16:45  5.0.2195.5944    125,712  %Windir%\System32\Wldap32.dll
NOTE: Because of file dependencies, this update may contain additional files. This update requires Windows 2000 Service Pack 2 (SP2) or Service Pack 3 (SP3). For additional information about how to obtain the latest service pack, click the article number below to view the article in the Microsoft Knowledge Base:
    Q260910 How to Obtain the Latest Windows 2000 Service Pack

back to the top

Windows NT 4.0 (All Versions)

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please visit the following Microsoft Web site: NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following files are available for download from the Microsoft Download Center:

Windows NT 4.0: Windows NT Server 4.0, Terminal Server Edition: Release Date: September 4, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
    Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

You must restart your computer after you apply this update. This update supports the following Setup switches:
  • -y: Perform uninstall (only with -m or - q).
  • -f: Force programs to be closed at shutdown.
  • -n: Do not create an Uninstall folder.
  • -z: Do not restart when update completes.
  • -q: Quiet or Unattended mode with no user interface (this switch is a superset of -m).
  • -m: Unattended mode with user interface.
  • -l: List installed hotfixes.
  • -x: Extracts the files without running Setup.
For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:
    filename -q -z
WARNING: Your computer is vulnerable until you restart it.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows NT 4.0:
 Date         Time   Version        Size     Path and file name              -------------------------------------------------------------------------
 20-Aug-2002  19:03  5.131.1878.11  371,984  %Windir%\System32\Crypt32.dll
 27-Jun-2000  20:57  5.131.1877.9    62,736  %Windir%\System32\Softpub.dll
Windows NT Server 4.0, Terminal Server Edition:
 Date         Time   Version        Size     Path and file name
 -------------------------------------------------------------------------
 20-Aug-2002  19:03  5.131.1878.11  371,984  %Windir%\System32\Crypt32.dll
 27-Jun-2000  20:57  5.131.1877.9    62,736  %Windir%\System32\Softpub.dll
NOTE: Because of file dependencies, this update requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6). For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
    Q152734 How to Obtain the Latest Windows NT 4.0 Service Pack

back to the top

Windows Me, Windows 98 Second Edition, and Windows 98

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please visit the following Microsoft Web site: NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following files are available for download from the Microsoft Download Center:

Windows Millennium Edition (Me): Windows 98 and Windows 98 Second Edition: Release Date: September 5, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
    Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Millennium Edition:
   Date         Time   Version       Size     File name
   ------------------------------------------------------
   26-Aug-2002  18:33  5.131.2133.5  467,728  Crypt32.dll      
Windows 98 and Windows 98 Second Edition:
   Date         Time   Version        Size     File name
   -------------------------------------------------------
   20-Aug-2002  19:03  5.131.1878.11  371,984  Crypt32.dll

back to the top

Office v. X, Office 2001, and Office 98 for Mac

A patch is under development. When it is available, this article will be updated with the download information.

back to the top

Outlook Express for Mac

A patch is under development. When it is available, this article will be updated with the download information.

back to the top

Internet Explorer for Mac

A patch is under development. When it is available, this article will be updated with the download information.

back to the top

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site: