-----Original Message----- From: UNIRAS (UK Govt CERT) [mailto:[EMAIL PROTECTED]] Sent: 29 August 2002 09:29 To: [EMAIL PROTECTED] Subject: UNIRAS Brief - 285/02 - Microsoft - Flaw in Certificate Enrollment Control Could Allow Deletion of Digital Certificates -----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------------ ---- UNIRAS (UK Govt CERT) Briefing Notice - 285/02 dated 29.08.02 Time: 09:28 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre) - ------------------------------------------------------------------------------ ---- UNIRAS material is also available from its website at www.uniras.gov.uk and Information about NISCC is available from www.niscc.gov.uk - ------------------------------------------------------------------------------ ---- Title ===== Microsoft Security Bulletin - MS02-048: Flaw in Certificate Enrollment Control Could Allow Deletion of Digital Certificates Detail ====== - -----BEGIN PGP SIGNED MESSAGE----- - - ---------------------------------------------------------------------- Title: Flaw in Certificate Enrollment Control Could Allow Deletion of Digital Certificates (Q323172) Date: 28 August 2002 Software: Microsoft Windows 98 Microsoft Windows 98 Second Edition Microsoft Windows Millennium Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Impact: Denial of service Max Risk: Critical Bulletin: MS02-048 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-048.asp. - - ---------------------------------------------------------------------- Issue: ====== All versions of Windows ship with an ActiveX control known as the Certificate Enrollment Control, the purpose of which is to allow web-based certificate enrollments. The control is used to submit PKCS #10 compliant certificate requests, and upon receiving the requested certificate, stores it in the user's local certificate store. The control contains a flaw that could enable a web page, through an extremely complex process, to invoke the control in a way that would delete certificates on a user's system. An attacker who successfully exploited the vulnerability could corrupt trusted root certificates, EFS encryption certificates, email signing certificates, and any other certificates on the system, thereby preventing the user from using these features. An attack could be carried out through either of two scenarios. The attacker could create a web page the that exploits the vulnerability, and host it on a web site in order to attack users who visited the site. The attacker also could send the page as an HTML mail in order to attack the recipient. A new version of the control is available that corrects the vulnerability, and can be installed via the patch. A patch is available for all other Windows systems, as discussed in the Patch Availability section below. Internet Explorer 5 or later is a prerequisite to installing the patch. As discussed in the Caveats section, customers who operate web sites that use the Certificate Enrollment Control will need to make minor revisions to their web applications in order to use the new control. Microsoft Knowledge Base article Q323172 details how to do this. In addition, the patch addresses a similar, but less serious vulnerability discovered in the SmartCard Enrollment control. This control ships with Windows 2000 and Windows XP. A new version of this control is also provided. Mitigating Factors: ==================== - - - The web site-based attack vector could not be exploited if ActiveX controls were disabled in the Security Zone associated with the attacker's site. - - - The mail-based attack vector could not be exploited if the recipient's email client handles HTML mail in the Restricted Sites Zone. Outlook Express 6 and Outlook 2002 open mail in this zone by default. Outlook 98 and 2000 open HTML mail in the Restricted Sites Zone if the Outlook Email Security Update has been installed. - - - The vulnerability would not enable certificates on smart cards to be corrupted, even if the smart card were in the system at the time of an attack. Risk Rating: ============ - Internet systems: Low - Intranet systems: Low - Client systems: Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-048.asp for information on obtaining this patch. - - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPW1Nno0ZSRQxA/UrAQHu5gf/XxYk5KdJHIBBUl2NzgAMbLM0t4YyCnja cyJ7h0V9i39P0dpll9sLjLac5fEVVgY5rOLVU2BJUcI6houV/pE+874su0git9em 5TIM2o8M0qpwEwiQAbFnhYr89a1nACGLCaQPc/TFQvtQLLgZ48YlX63MIevqCfJk sTve2/UJYeKZ2QpbSFaCGdMhtl9sv4D2n471zLJoBlZiCXMALyDNMJ7rDjRXOcjJ NDopXs8hTnccnwbH6M4pFay3fYokMh5p4sfT9/9cZ3/0COmhJcBge/V57w1THZiK NXH1NFNqBY9eb9kIY4K3Z9f1ko4lGkb6W2yDWyVk+aBkWkmPQTgwnw== =IAg+ - -----END PGP SIGNATURE----- ******************************************************************* Reprinted with permission of Microsoft Corporation. - ------------------------------------------------------------------------------ ---- For additional information or assistance, please contact the HELP Desk by telephone or Not Protectively Marked information may be sent via EMail to: [EMAIL PROTECTED] Tel: 020 7821 1330 Ext 4511 Fax: 020 7821 1686 - ------------------------------------------------------------------------------ ---- UNIRAS wishes to acknowledge the contributions of Microsoft for the information contained in this Briefing. - ------------------------------------------------------------------------------ ---- This Briefing contains the information released by the original author. Some of the information may have changed since it was released. If the vulnerability affects you, it may be prudent to retrieve the advisory from the canonical site to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. - ------------------------------------------------------------------------------ ---- <End of UNIRAS Briefing> -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQCVAwUBPW3aiYpao72zK539AQG+PAQAt13WWoLvqNJasfMIAvIf+xsYktGI3XmM RlULRQFS3dwIwmVp0O6xUzAa9R0v70mkL7yX+eVNUe/d3K8wkqurb9jpmajCbKsV GeVsvBuuhzltaggUgc2iV743KoiAMPY1d+EArN2xdZyPXw08T1XS1oIZFjgMEm86 t8wJsmRhT6E= =3plq -----END PGP SIGNATURE----- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk