Microsoft Knowledge Base Article - 329115
 

MS02-050: Certificate Validation Flaw Might Permit Identity Spoofing

The information in this article applies to:
  • Microsoft Windows NT Server 4.0 Terminal Server Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP 64-Bit Edition
  • Microsoft Windows NT Server, Enterprise Edition 4.0
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows Millennium Edition
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows 98
  • Microsoft Office 2001 for Mac
  • Microsoft Office 98 Macintosh Edition
  • Microsoft Office v. X for Mac
  • Microsoft Internet Explorer 4.01 for Macintosh
  • Microsoft Internet Explorer 4.5 for Macintosh
  • Microsoft Internet Explorer 5.0 for Macintosh
  • Microsoft Outlook Express 5.0 for Macintosh
This article was previously published under Q329115
This article replaces Microsoft Knowledge Base article 328145.

SYMPTOMS

The original version of Microsoft Security Bulletin MS02-050 was released on September 5, 2002. On September 9, 2002, the bulletin was updated to advise customers that a Microsoft-issued digital certificate that was used to sign device drivers did not meet the stricter validation standards that were established by the patch. Therefore, customers who installed the patch might receive unexpected error messages when they installed new hardware, or in some cases, might not be able to install new hardware. An updated patch was released on November 20, 2002. This new patch not only prevents this problem, but also prevents a newly discovered variant of the original vulnerability.

The IETF profile of the X.509 certificate standard defines several optional fields that can be included in a digital certificate. One of these is the Basic Constraints field, which indicates the maximum permitted length of the certificate's chain and whether the certificate is a certification authority or an end-entity certificate. However, the functions in CryptoAPI that construct and validate certificate chains (the CertGetCertificateChain, CertVerifyCertificateChainPolicy, and WinVerifyTrust functions) do not check the Basic Constraints field. The same flaw, unrelated to CryptoAPI, is also present in several Microsoft products for Macintosh.

The vulnerability that was identified in the original version of the bulletin might permit an attacker who has a valid end-entity certificate to issue a subordinate certificate that, although not actually valid, passes validation. Because CryptoAPI is used by many programs, this might permit a variety of identity spoofing attacks. These might include:
  • Setting up a Web site that poses as a different Web site, and "proving" its identity by establishing an SSL session as the legitimate Web site.
  • Sending e-mail messages that are signed by using a digital certificate that purportedly belongs to a different user.
  • Spoofing certificate-based authentication systems to gain entry as a highly privileged user.
  • Digitally signing malicious software by using an Authenticode certificate that claims to have been issued to a company that users might trust.
The newly discovered vulnerability that was announced on November 20, 2002, is closely related to the vulnerability that is discussed in the original version of the bulletin. Like that vulnerability, the new vulnerability involves a flaw in the way in which certificate validation is performed. However, this vulnerability might permit an attacker to gain control over a user's computer. Because a fix for this vulnerability was not included in the original version of the patch, Microsoft strongly recommends that customers install the new patch, even if they installed the original version of the patch.

Only Microsoft Windows 98, Microsoft Windows 98 Second Edition, Microsoft Windows NT 4.0, and Microsoft Windows NT 4.0, Terminal Server Edition, are affected by this variant of the vulnerability.

For additional information about the original release of this patch, click the article number below to view the article in the Microsoft Knowledge Base:
328145 MS02-050: Certificate Validation Flaw May Permit Identity Spoofing

RESOLUTION

For more information about how to resolve this vulnerability, click any of the following links:

Windows XP (All Versions)

Download Information

The following file is available for download from the Microsoft Download Center:



Release Date: November 20, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

You must restart your computer after you apply this update. This update supports the following Setup switches:
  • /?: Display the list of installation switches.
  • /u: Unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /n: Do not back up files for removal.
  • /o: Overwrite OEM files without prompting.
  • /z: Do not restart when installation is complete.
  • /q: Quiet mode (no user interaction).
  • /l: List installed hotfixes.
  • /x Extracts the files without running Setup.
For example, to install the update without any user intervention, and then not to force the computer to restart, use the following command line:
q329115_wxp_sp2_x86_enu /u /q /z

WARNING: Your computer is vulnerable until you restart it.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are copied to the %WINDIR%\System32 folder:

Windows XP Home Edition and Professional
   Date         Time   Version          Size     File name
   ---------------------------------------------------------
   23-Sep-2002  20:10  5.131.2600.1123  544,256  Crypt32.dll
Windows XP 64-Bit Edition
   Date         Time   Version          Size       File name
   -----------------------------------------------------------
   23-Sep-2002  20:10  5.131.2600.1123  1,920,512  Crypt32.dll
   22-Sep-2002  02:26  5.131.2600.1123    544,256  Wcrypt32.dll
back to the top

Windows 2000 (All Versions)

Download Information

The following file is available for download from the Microsoft Download Center:


Release Date: November 20, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

You must restart your computer after you apply this update. This update supports the following Setup switches:
  • /?: Display the list of installation switches.
  • /u: Unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /n: Do not back up files for removal.
  • /o: Overwrite OEM files without prompting.
  • /z: Do not restart when installation is complete.
  • /q: Quiet mode (no user interaction).
  • /l: List installed hotfixes.
  • /x: Extracts the files without running Setup.
For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:
q329115_w2k_sp4_x86_en /u /q /z

WARNING: Your computer is vulnerable until you restart it.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are copied to the %WINDIR%\System32 folder:
   Date         Time   Version         Size       File name
   -----------------------------------------------------------
   26-Aug-2002  13:45  5.0.2195.5781     123,664  Adsldp.dll       
   26-Aug-2002  13:45  5.0.2195.5781     131,344  Adsldpc.dll      
   26-Aug-2002  13:45  5.0.2195.5781      62,736  Adsmsext.dll     
   26-Aug-2002  13:45  5.0.2195.5992     358,160  Advapi32.dll     
   26-Aug-2002  13:45  5.0.2195.5265      42,256  Basesrv.dll      
   26-Aug-2002  13:45  5.0.2195.5855      49,424  Browser.dll      
   25-Sep-2002  17:36  5.131.2195.6072   469,776  Crypt32.dll      
   25-Sep-2002  17:36  5.0.1558.6072      90,384  Cryptdlg.dll     
   26-Aug-2002  13:45  5.0.2195.6012     135,952  Dnsapi.dll       
   07-Nov-2002  20:08  5.0.2195.6076      96,016  Dnsrslvr.dll     
   26-Aug-2002  13:45  5.0.2195.5722      45,328  Eventlog.dll     
   26-Aug-2002  13:45  5.0.2195.5907     222,992  Gdi32.dll        
   26-Aug-2002  13:45  5.0.2195.5859     145,680  Kdcsvc.dll       
   04-Jun-2002  18:31  5.0.2195.5859     199,952  Kerberos.dll     
   26-Aug-2002  13:45  5.0.2195.6011     708,880  Kernel32.dll     
   21-Aug-2002  13:27  5.0.2195.6023      71,248  Ksecdd.sys
   22-Jul-2002  20:54  5.0.2195.5960     507,152  Lsasrv.dll       
   22-Jul-2002  20:54  5.0.2195.5960      33,552  Lsass.exe        
   26-Aug-2002  13:45  5.0.2195.4733     332,560  Msgina.dll       
   12-Aug-2002  21:54  5.0.2195.6006     108,816  Msv1_0.dll       
   26-Aug-2002  13:45  5.0.2195.5979     307,472  Netapi32.dll     
   26-Aug-2002  13:45  5.0.2195.5966     360,720  Netlogon.dll     
   06-Sep-2002  15:40  5.0.2195.6044     917,264  Ntdsa.dll        
   26-Aug-2002  13:45  5.0.2195.5936     119,568  Psbase.dll       
   26-Aug-2002  13:45  5.0.2195.6025     389,392  Samsrv.dll       
   26-Aug-2002  13:45  5.0.2195.5951     129,296  Scecli.dll       
   26-Aug-2002  13:45  5.0.2195.5951     302,864  Scesrv.dll       
   23-Oct-2002  15:05  5.0.2195.6100     138,752  Sp3res.dll       
   13-Jun-2001  02:05  5.0.2195.3727       3,856  Svcpack1.dll     
   26-Aug-2002  13:45  5.0.2195.6000     379,664  User32.dll       
   26-Aug-2002  13:45  5.0.2195.5968     369,936  Userenv.dll      
   26-Aug-2002  13:45  5.0.2195.5859      48,912  W32time.dll      
   04-Jun-2002  18:32  5.0.2195.5859      57,104  W32tm.exe        
   24-Aug-2002  15:50  5.0.2195.6028   1,642,416  Win32k.sys
   15-Aug-2002  12:30  5.0.2195.6013     179,472  Winlogon.exe     
   26-Aug-2002  13:45  5.0.2195.5935     243,472  Winsrv.dll       
   26-Aug-2002  13:45  5.0.2195.5944     125,712  Wldap32.dll      
   22-Jul-2002  20:54  5.0.2195.5960     507,664  Lsasrv.dll       
   07-Nov-2002  20:08  5.0.2195.6011     708,880  Kernel32.dll     
   07-Nov-2002  20:08  5.0.2195.6028   1,642,416  Win32k.sys
   26-Aug-2002  13:45  5.0.2195.5935     243,472  Winsrv.dll
NOTE: Because of file dependencies, this update may contain additional files. This update requires Windows 2000 Service Pack 2 (SP2) or Service Pack 3 (SP3). For additional information about how to obtain the latest service pack, click the article number below to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack

back to the top

Windows NT 4.0 (All Versions)

Download Information

The following files are available for download from the Microsoft Download Center:

Windows NT 4.0

Windows NT Server 4.0, Terminal Server Edition

Release Date: November 20, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

You must restart your computer after you apply this update. This update supports the following Setup switches:
  • /y: Perform removal (only with /m or /q).
  • /f: Force programs to be closed at shutdown.
  • /n: Do not create an Uninstall folder.
  • /z: Do not restart when update completes.
  • /q: Quiet or Unattended mode with no user interface (this switch is a superset of /m).
  • /m: Unattended mode with user interface.
  • /l: List installed hotfixes.
  • /x: Extracts the files without running Setup.
For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:
q329115i /q /z

WARNING: Your computer is vulnerable until you restart it.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are copied to the %WINDIR%\System32 folder:

Windows NT 4.0
   Date         Time   Version         Size     File name
   ------------------------------------------------------------------
   12-Sep-2002  21:10  5.131.1878.12   372,496  Crypt32.dll
   25-Sep-2002  18:36  5.0.1558.6072    90,384  Cryptdlg.dll
   26-Sep-2002  18:38  4.86.1964.1878  143,632  Schannel.dll
   26-Sep-2002  18:38  4.87.1964.1878  112,912  Schannel.dll  128-bit
Windows NT Server 4.0, Terminal Server Edition
   Date         Time   Version         Size     File name
   ------------------------------------------------------------------
   12-Sep-2002  21:10  5.131.1878.12   372,496  Crypt32.dll
   25-Sep-2002  18:36  5.0.1558.6072    90,384  Cryptdlg.dll
   26-Sep-2002  18:38  4.86.1964.1878  143,632  Schannel.dll
   26-Sep-2002  18:38  4.87.1964.1878  112,912  Schannel.dll  128-bit
NOTE: Because of file dependencies, this update requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6). For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack

back to the top

Windows Me, Windows 98 Second Edition, and Windows 98

Download Information

The following files are available for download from the Microsoft Download Center:

Windows Millennium Edition (Me)

Windows 98 and Windows 98 Second Edition

Release Date: November 20, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Millennium Edition
   Date         Time   Version        Size     File name
   --------------------------------------------------------
   12-Sep-2002  20:51  5.131.2133.6   468,752  Crypt32.dll
   25-Sep-2002  17:36  5.0.1558.6072   90,384  Cryptdlg.dll
Windows 98 and Windows 98 Second Edition
   Date         Time   Version         Size     File name
   ---------------------------------------------------------
   12-Sep-2002  20:10  5.131.1878.12   372,496  Crypt32.dll
   25-Sep-2002  17:36  5.0.1558.6072    90,384  Cryptdlg.dll
   26-Sep-2002  17:38  4.87.1964.1878  112,912  Schannel.dll
back to the top

Office v. X, Office 2001, Office 98 for Mac; Outlook Express for Mac; Internet Explorer for Mac

For information about obtaining patches for these products, visit the following Microsoft Web site:

back to the top

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site: