Microsoft issues security bulletin on certificate validation flaw

Microsoft issued another security bulletin for what it called a “critical” flaw in various Windows software. The security bulletin alerted users to a flaw that could allow for identity spoofing and recommended immediate installation of a patch.

The latest flaw can affect users of Microsoft Windows 98, Me, NT 4.0, 2000 and XP, as well as users of Office for Mac, Internet Explorer for Mac and Outlook Express for Mac.

The flaw allows the potential attacker of a Web site to create a fake digital certificate that will pass validation. This digital certificate in turn could allow the attacker to create a Web site that would successfully pose as a different site, with the hope that visitors would reveal sensitive information like a credit card number. The target of attackers would most likely be a legitimate e-commerce site, according to the bulletin.

The vulnerability could also allow someone to send an e-mail with a digital signature that does not belong to the actual sender, Microsoft said in the bulletin.

The vulnerability affects CryptoAPI, functions that provide support for encryption, decryption, digital certificate handling and other tasks, and therefore affects all applications that use it whether they were written by Microsoft or not. This vulnerability occurs because the basic constraints field is not checked by the affected products, the bulletin said.

These actions could be limited depending on the ability of the attacker to circumvent various operational barriers. According to Microsoft the barriers include the need for a digital certificate to be issued by a certificate authority, and limits of bogus certificates tied to the user’s access. In other words, a user would need a valid secure sockets layer (SSL) server certificate in order to create a fake SSL server certificate.

Patches are available for most of the Windows software listed above. A patch for Windows 2000, Microsoft Office for Mac, Internet Explorer for Mac and Outlook Express for Mac will be released shortly, the bulletin said.

Microsoft can be found at