Microsoft KB Archive/323172

= MS02-048: Flaw in Certificate Enrollment Control May Cause Digital Certificates to Be Deleted =

Article ID: 323172

Article Last Modified on 12/1/2007

-

APPLIES TO


 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Professional x64 Edition
 * Microsoft Windows NT Server 4.0 Enterprise Edition
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows Millennium Edition
 * Microsoft Windows 98 Second Edition
 * Microsoft Windows 98 Standard Edition

-



This article was previously published under Q323172



SYMPTOMS
The versions of Microsoft Windows that are listed in the &quot;Applies to&quot; section of this article include an ActiveX control that is known as the Certificate Enrollment control. This control is located in the Xenroll.dll binary. Windows uses this control to allow Web-based certificate enrollments and to submit PKCS #10-compliant certificate requests. When this control receives the requested certificate, it stores the certificate in the user's local certificate store, which is part of the user profile.

The Certificate Enrollment control contains a flaw that may allow a Web page, by using an extremely complex process, to run the control in a way that deletes the certificates on a user's system. An attacker who successfully exploits this vulnerability may be able to delete trusted root certificates, EFS encryption certificates, e-mail signing certificates, and any other certificates on the computer, thereby preventing the user from using these features.

An attack may be carried out in either of the following scenarios:
 * The attacker may create a Web page that exploits the vulnerability, and then host this page on a Web site to attack users who visit this site.
 * The attacker may send the page as an HTML e-mail message as a way to attack the recipient.

Mitigating Factors
 The Web site-based attack vector may not be exploited if ActiveX Controls are turned off in the security zone that is associated with the attacker's site. The message-based attack vector may not be exploited if the recipient's e-mail client handles HTML e-mail messages in the Restricted sites zone. By default, Microsoft Outlook Express 6 and Microsoft Outlook 2002 open e-mail messages in this zone. Microsoft Outlook 98 and Microsoft Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the security update that is available at the following Microsoft Web site has been installed:

Outlook E-mail Security Update

 This vulnerability does not allow certificates on smart cards to be deleted, even if the smart card is in the computer at the time of an attack.



RESOLUTION
Microsoft has released an update that prevents the flawed control from being called from Web pages and installs new versions of the control. The client update includes a registry change that turns off the earlier version of the control and installs the new version of the control. Because a common version of the Certificate Enrollment control must be provided to all supported clients, a dependency on CryptoAPI is created. The new Certificate Enrollment control is dependent on the functionality that is only available with Microsoft Internet Explorer 5.0 or later. Therefore, this update is not installed on computers that are not running Internet Explorer 5 or later. If you are not using Internet Explorer 5 or later, you receive the following error message:

This update is not designed for your version of Internet Explorer. Press OK to exit.

NOTE: If you add or remove components from your computer, you must reapply this update.

For more information about how to resolve this vulnerability, click any of the following links to review the section that applies to your operating system.
 * Windows XP (All Versions)
 * Windows 2000 (All Versions)
 * Windows NT 4.0 (All Versions)
 * Windows Millennium Edition, Windows 98 Second Edition, Windows 98

Windows XP (All Versions)
To resolve this problem, obtain the latest service pack for Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to Obtain the Latest Windows XP Service Pack

Windows XP Pre-SP1 Download Information
If you have not applied Windows XP Service Pack 1 (SP1) or later, apply the appropriate patch to resolve this problem. The following files are available for download from the Microsoft Download Center:

Windows XP Professional and Windows XP Home:

English (US): Download the Q323172 package now

Arabic: Download the Q323172 package now

Chinese (Simplified): Download the Q323172 package now

Chinese (Traditional): Download the Q323172 package now

Czech: Download the Q323172 package now

Danish: Download the Q323172 package now

Dutch: Download the Q323172 package now

Finnish: Download the Q323172 package now

French: Download the Q323172 package now

German: Download the Q323172 package now

Greek: Download the Q323172 package now

Hebrew: Download the Q323172 package now

Hungarian: Download the Q323172 package now

Italian: Download the Q323172 package now

Japanese: Download the Q323172 package now

Korean: Download the Q323172 package now

Norwegian: Download the Q323172 package now

Polish: Download the Q323172 package now

Portuguese: Download the Q323172 package now

Portuguese (Brazil): Download the Q323172 package now

Russian: Download the Q323172 package now

Spanish: Download the Q323172 package now

Swedish: Download the Q323172 package now

Turkish: Download the Q323172 package now

Windows XP 64-Bit Edition:

English (US): Download the Q323172 package now

French: Download the Q323172 package now

German: Download the Q323172 package now

Japanese: Download the Q323172 package now

Release Date: August 28, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information
Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.

To apply this update on a Windows XP-based client, the user who is logged on must be a member of the local Power Users group or the Administrators group.

You must restart your computer after you apply this update. This update supports the following Setup switches:
 * -?: Display the list of installation switches.
 * -u: Unattended mode.
 * -f: Force other programs to quit when the computer shuts down.
 * -n: Do not back up files for uninstallation.
 * -o: Overwrite OEM files without prompting.
 * -z: Do not restart when installation is complete.
 * -q: Quiet mode (no user interaction).
 * -l: List installed hotfixes.
 * -x Extracts the files without running Setup.

For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:

 -u -q -z

WARNING: Your computer is vulnerable until you restart it.

File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (also known as Universal Time Coordinate [UTC]). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Version       Size     File name 09-Jul-2002 5.131.3659.0  172,664  Xenroll.dll

back to the top

Windows 2000 (All Versions) Service Pack Information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Windows 2000 (All Versions) Hotfix Information
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Windows 2000 service pack that contains this fix.

To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information
The following file is available for download from the Microsoft Download Center:

All Languages: Download the Q323172 package now

Release Date: August 28, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information
Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.

To apply this update on a Windows 2000-based client, the user who is logged on must be a member of the local Power Users group or the Administrators group.

Downloads of the Certificate Enrollment control (Xenroll.dll) to Alpha-based client computers from Windows 2000 that has certificate services installed is no longer supported.

You must restart your computer after you apply this update. This update supports the following Setup switches:
 * -?: Display the list of installation switches.
 * -u: Unattended mode.
 * -f: Force other programs to quit when the computer shuts down.
 * -n: Do not back up files for uninstallation.
 * -o: Overwrite OEM files without prompting.
 * -z: Do not restart when installation is complete.
 * -q: Quiet mode (no user interaction).
 * -l: List installed hotfixes.
 * -x: Extracts the files without running Setup.

For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:

 -u -q -z

WARNING: Your computer is vulnerable until you restart it.

File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Version          Size     File name ---  09-Jul-2002  5.131.3659.0     172,664  Xenroll.dll 05-Aug-2002 5.131.2195.5938   48,568  Scrdenrl.dll

back to the top

Windows NT 4.0 (All Versions)
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate the computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to the computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If the computer is sufficiently at risk, we recommend that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information
The following files are available for download from the Microsoft Download Center:

Windows NT 4.0

English: Download the Q323172 package now

Arabic: Download the Q323172 package now

Chinese (Simplified): Download the Q323172 package now

Chinese (Traditional): Download the Q323172 package now

Chinese (Hong Kong): Download the Q323172 package now

Czech: Download the Q323172 package now

Danish: Download the Q323172 package now

Dutch: Download the Q323172 package now

Finnish: Download the Q323172 package now

French: Download the Q323172 package now

German: Download the Q323172 package now

Hebrew: Download the Q323172 package now

Hungarian: Download the Q323172 package now

Italian: Download the Q323172 package now

Japanese: Download the Q323172 package now

Korean: Download the Q323172 package now

Norwegian: Download the Q323172 package now

Polish: Download the Q323172 package now

Portuguese (Brazilian): Download the Q323172 package now

Russian: Download the Q323172 package now

Spanish: Download the Q323172 package now

Swedish: Download the Q323172 package now

Turkish: Download the Q323172 package now

Release Date: August 28, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information
Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.

To apply this update on a Windows NT 4.0 client, the user who is logged on must be a member of the local Power Users group or the Administrators group.

Downloads of the Certificate Enrollment control (Xenroll.dll) to Alpha-based client computers from Windows NT 4.0 Server that has certificate services installed is no longer supported.

You must restart your computer after you apply this update. This update supports the following Setup switches:
 * -y: Perform uninstall (only with -m or -q).
 * -f: Force programs to be closed at shutdown.
 * -n: Do not create an Uninstall folder.
 * -z: Do not restart when update completes.
 * -q: Quiet or Unattended mode with no user interface (this switch is a superset of -m).
 * -m: Unattended mode with user interface.
 * -l: List installed hotfixes.
 * -x: Extracts the files without running Setup.

For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:

 -q -z

WARNING: Your computer is vulnerable until you restart it.

File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Version       Size     File name 09-Jul-2002 5.131.3659.0  172,664  Xenroll.dll

back to the top

Windows Millennium Edition, Windows 98 Second Edition, and Windows 98
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information
The following files are available for download from the Microsoft Download Center:

Windows Millennium Edition:

English (US): Download the Q323172 package now

Arabic: Download the Q323172 package now

Enabled Arabic: Download the Q323172 package now

Chinese (Simplified): Download the Q323172 package now

Chinese (Traditional): Download the Q323172 package now

Czech: Download the Q323172 package now

Danish: Download the Q323172 package now

Dutch: Download the Q323172 package now

Finnish: Download the Q323172 package now

French: Download the Q323172 package now

German: Download the Q323172 package now

Greek: Download the Q323172 package now

Hebrew: Download the Q323172 package now

Enabled Hebrew: Download the Q323172 package now

Hungarian: Download the Q323172 package now

Italian: Download the Q323172 package now

Japanese: Download the Q323172 package now

Korean: Download the Q323172 package now

Norwegian: Download the Q323172 package now

Polish: Download the Q323172 package now

Portuguese: Download the Q323172 package now

Portuguese (Brazil): Download the Q323172 package now

Russian: Download the Q323172 package now

Slovak: Download the Q323172 package now

Slovenian: Download the Q323172 package now

Spanish: Download the Q323172 package now

Swedish: Download the Q323172 package now

Thai: Download the Q323172 package now

Turkish: Download the Q323172 package now

Windows 98 and Windows 98 Second Edition:

All Languages: Download the Q323172 package now

Release Date: August 28, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information
Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.

File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Version       Size     File name 09-Jul-2002 5.131.3659.0  172,664  Xenroll.dll

back to the top



Windows XP (All Versions)
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows XP Service Pack 1.

Windows 2000 (All Versions)
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft Windows 2000 Service Pack 4.

Windows NT 4.0 (All Versions)
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

Windows Millennium Edition, Windows 98 Second Edition, and Windows 98
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

<div class="moreinformation_section">

Client Information
After you apply this update to a client computer, the client cannot enroll with a Web server for which the update has not been applied. If you are using this client, you may experience Web pages that stop responding, you may receive error messages that state the ActiveX Control could not be downloaded, or enrollment may not be successful.

When a client computer for which the updated control has not been applied tries to enroll with a Web server that has been updated, the Web server downloads the updated control to the client computer.

IMPORTANT: Even if a Web site has been updated and client enrollment is successful, you must update the client computer to remove this vulnerability. Netscape browsers do not use the Certificate Enrollment control when enrolling with a Microsoft Windows Certificate Server; however, the client computers must be updated to remove this vulnerability.

Server Information
If you operate a Web site that uses the Certificate Enrollment control, you must make minor revisions to your Web programs to use the new control. Both Windows NT 4.0-based servers and Windows 2000-based servers that host Certificate Services Web enrollment pages must be updated with the new Certificate Enrollment control and the Smartcard Enrollment control. If a Windows certification authority (CA) also has Web enrollment services installed on separate Internet Information Services (IIS)-based servers, you must also apply the server update to those Web sites. Third-party Web sites that use either of these controls must also update any Web pages that use these controls. The Web site must refer to the new class identifier (ID) and version of Xenroll.dll and Scrdenrl.dll:  Old Xenroll.dll information:

Class ID: {43F8F289-7A20-11D0-8F06-00C04FC295E1}

</li> New Xenroll.dll information:

Class ID: {127698e4-e730-4e5c-a2b1-21490a70c8a1}

sXEnrollVersion=&quot;5,131,3659,0&quot;

</li> Old Scrdenrl.dll information:

Class ID: {80CB7887-20DE-11D2-8D5C-00C04FC29D45}

</li> New Scrdenrl.dll information:

Class ID: {c2bbea20-1f2b-492f-8a06-b1c5ffeace3b}

sScrdEnrlVersion=&quot;5,131,2195,5938&quot;

</li></ul>

The Windows 2000 update will automatically update the Windows 2000 CA Web enrollment pages to use the new controls for Windows client enrollment. Third-party CAs must provide appropriate patches or update Web pages appropriately to use the new Xenroll.dll control class ID.

The Smartcard Enrollment control is only used with Windows 2000 CAs. This control does not apply to Windows NT 4.0, Windows 98, Windows 98 Second Edition, or Windows Millennium Edition. The following Web pages are updated on a Windows 2000 CA:

Certdat.inc

Certsgcl.inc

Certsces.asp

To manually patch a Windows NT 4.0-based server that has Certificate Services installed, follow these steps: <ol> Type the following command at a command prompt to manually extract the updated files to a temporary folder:

q323172i /x

</li> Replace the \System32\Certsrv\Certcontrol\Xenroll.cab file with the new version that you extracted in step 1.</li> Install the update as you typically would by running Q323172i.exe, and then restart the computer when you are prompted.</li> Update the following Active Server Pages (ASP) pages to include the new Xenroll class ID (CLSID) and proper version information:

  \System32\Certsrv\CertEnroll\Ceaccept.asp</li>  \System32\Certsrv\\CertEnroll\Ceenroll.asp</li></ul>

To do so:  In each Web page, change the old CLSID from:

classid=&quot;clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1&quot;

to:

classid=&quot;clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1&quot;

</li> In each Web page, change the version number from:

CODEBASE=&quot;/CertControl/xenroll.cab#Version=5,131,2090,1&quot;

to:

CODEBASE=&quot;/CertControl/xenroll.cab#Version=5,131,3659,0&quot;

</li></ul>

NOTE: If the web page does not reference the Xenroll CLSID or version-dependent ProgID directly, then it does not need to be updated. The fix which works for both old and new Xenroll is to use CreateObject with a version-independent ProgID.

</li> Verify that %SystemRoot%\WINNT\System32\CertSrv\CertControl\x86\Xenroll.dll has been replaced with the new version.</li> <li>Edit the Browscap.ini file in the %SystemRoot%\System32\Inetsrv folder to allow Internet Explorer 6.0 version browsers.</li></ol>

When a Web page has been successfully updated, if you are using a client that has not been updated, you receive the following message that indicates that the updated control is being downloaded and registered in the Internet Explorer browser:

Downloading ActiveX Control

You can use Windows 2000-based and Windows XP-based client computers in conjunction with the Web enrollment services pages on IIS and a Windows 2000 CA to enroll smartcards on behalf of other users. The Smartcard Enrollment station works through Internet Explorer on the client computer and IIS on the server that is hosting the CA Web enrollment pages (this is an optional component during CA installation). The new version of the Smartcard Enrollment control on an updated Web site is not marked &quot;safe for scripting.&quot; You must manually configure the Internet Explorer browser to add the Web server computer that is hosting the Web enrollment pages to the list of trusted sites in the Security tab of the Internet Explorer options. If you do not do so, the Smartcard Enrollment control will not be downloaded and it cannot be used. After the Web server has been added to the list of trusted sites, the Smartcard Enrollment pages still display the following warning (this message appears by design):

An Active control on this page might be unsafe to interact with other parts of the page. Do you want to allow this interaction yes/no?

Click Yes to continue using the Smartcard Enrollment station Web pages.

If the Web server is not listed in the trusted sites in Internet Explorer, you receive the following error message:

The proper version of the ActiveX Control failed to download and install. You may not have sufficient permissions. Please ask your system administrator for assistance.

For additional information about possible problems installing Certificate Services after you apply this update, click the article number below to view the article in the Microsoft Knowledge Base:

328595 Problems Installing Certificate Services After you Apply the Q323172 Patch

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-048.mspx

For additional information about Windows Millennium Edition hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:

295413 General Information About Windows Millennium Edition Hotfixes

For additional information about Windows 98 and Windows 98 Second Edition hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:

206071 General Information on Windows 98 and SE Hotfixes

Keywords: kbhotfixserver kbqfe atdownload kbenv kbwin2ksp4fix kbbug kbfix kbsecbulletin kbsecurity kbsecvulnerability kbwin2000presp4fix kbwinxpsp1fix KB323172

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.