Certificate Validation Flaw Could Enable Identity Spoofing

The original version of this bulletin was released on 05 September 2002. The vulnerability identified in the original version of the bulletin could enable an attacker who had a valid end-entity certificate to issue a subordinate certificate that, although bogus, would nevertheless pass validation. Because CryptoAPI is used by a wide range of applications, this could enable a variety of identity spoofing attacks.

Microsoft re-issued this security bulletin on November 11, 2003 to advise on the availability of an updated Microsoft Windows 2000 Service Pack 4 (SP4) security patch. This revised security patch corrects a regression that may occur during the installation of Microsoft Internet Explorer 6.0 Service Pack 1 on Windows 2000 SP4. This regression removes the update that is discussed in this bulletin and that is provided as part of Windows 2000 SP4. Customers who are using Windows 2000 SP4 and then installed Internet Explorer 6.0 Service Pack 1 should apply the updated Windows 2000 SP4 security patch to help protect from this vulnerability.

Download: Security Update for Microsoft Windows 2000 SP4

View: Microsoft Security Bulletin MS02-050

Report a problem with article
Next Article

Buffer Overrun in Microsoft FrontPage Server Extensions

Previous Article

Buffer Overrun in the Workstation Service

-1 Comments - Add comment