Microsoft KB Archive/329115

= MS02-050: Certificate validation flaw might permit identity spoofing =

Article ID: 329115

Article Last Modified on 12/1/2007

-

APPLIES TO


 * Microsoft Windows XP Professional x64 Edition
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Server 4.0 Enterprise Edition
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows Millennium Edition
 * Microsoft Windows 98 Second Edition
 * Microsoft Windows 98 Standard Edition
 * Microsoft Office 2001 for Mac
 * Microsoft Office 98 for Macintosh
 * Microsoft Office X for Mac Standard Edition
 * Microsoft Internet Explorer 4.01 for Macintosh
 * Microsoft Internet Explorer 4.5 for Macintosh
 * Microsoft Internet Explorer 5.0 for Macintosh
 * Microsoft Outlook Express 5.0 Macintosh Edition

-



This article was previously published under Q329115



This article replaces Microsoft Knowledge Base article 328145.



Technical updates

 * November 11, 2003: This article was updated to provide information about a new security update for customers who installed Microsoft Windows 2000 Service Pack 4 (SP4) and then installed Microsoft Internet Explorer 6 Service Pack 1 (SP1).



SYMPTOMS
The original version of Microsoft Security Bulletin MS02-050 was released on September 5, 2002. On September 9, 2002, the bulletin was updated to advise customers that a Microsoft-issued digital certificate that was used to sign device drivers did not meet the stricter validation standards that were established by the patch. Therefore, customers who installed the patch might receive unexpected error messages when they installed new hardware, or in some cases, might not be able to install new hardware. An updated patch was released on November 20, 2002. This new patch not only prevents this problem, but also prevents a newly discovered variant of the original vulnerability.

The IETF profile of the X.509 certificate standard defines several optional fields that can be included in a digital certificate. One of these is the Basic Constraints field, which indicates the maximum permitted length of the certificate's chain and whether the certificate is a certification authority or an end-entity certificate. However, the functions in CryptoAPI that construct and validate certificate chains (the CertGetCertificateChain, CertVerifyCertificateChainPolicy, and WinVerifyTrust functions) do not check the Basic Constraints field. The same flaw, unrelated to CryptoAPI, is also present in several Microsoft products for Macintosh.

The vulnerability that was identified in the original version of the bulletin might permit an attacker who has a valid end-entity certificate to issue a subordinate certificate that, although not actually valid, passes validation. Because CryptoAPI is used by many programs, this might permit a variety of identity spoofing attacks. These might include:
 * Setting up a Web site that poses as a different Web site, and &quot;proving&quot; its identity by establishing an SSL session as the legitimate Web site.
 * Sending e-mail messages that are signed by using a digital certificate that purportedly belongs to a different user.
 * Spoofing certificate-based authentication systems to gain entry as a highly privileged user.
 * Digitally signing malicious software by using an Authenticode certificate that claims to have been issued to a company that users might trust.

The newly discovered vulnerability that was announced on November 20, 2002, is closely related to the vulnerability that is discussed in the original version of the bulletin. Like that vulnerability, the new vulnerability involves a flaw in the way in which certificate validation is performed. However, this vulnerability might permit an attacker to gain control over a user's computer. Because a fix for this vulnerability was not included in the original version of the patch, Microsoft strongly recommends that customers install the new patch, even if they installed the original version of the patch.

Only Microsoft Windows 98, Microsoft Windows 98 Second Edition, Microsoft Windows NT 4.0, and Microsoft Windows NT 4.0, Terminal Server Edition, are affected by this variant of the vulnerability.



Service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Update download information
The following file is available for download from the Microsoft Download Center:

All languages: Download the Q329115 package now

Release Date: November 20, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation information
You must restart your computer after you apply this update. This update supports the following Setup program switches:
 * /?: Display the list of installation switches.
 * /u: Unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /n: Do not back up files for removal.
 * /o: Overwrite OEM files without prompting.
 * /z: Do not restart when installation is complete.
 * /q: Quiet mode (no user interaction).
 * /l: List installed hotfixes.
 * /x Extracts the files without running Setup.

For example, to install the update without any user intervention, and then not to force the computer to restart, use the following command line:

q329115_wxp_sp2_x86_enu /u /q /z

Warning Your computer is vulnerable until you restart it.

File information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are copied to the %WINDIR%\System32 folder:

Windows XP Home Edition and Professional   Date         Time   Version          Size     File name -  23-Sep-2002  20:10  5.131.2600.1123  544,256  Crypt32.dll Windows XP 64-Bit Edition   Date         Time   Version          Size       File name ---  23-Sep-2002  20:10  5.131.2600.1123  1,920,512  Crypt32.dll 22-Sep-2002 02:26  5.131.2600.1123    544,256  Wcrypt32.dll back to the top

Service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Important A regression may occur when you are installing Internet Explorer 6 Service Pack 1 (SP1) on computers that are running Windows 2000 Service Pack (SP4). This regression removes the update that is discussed in this bulletin and that is provided as part of Windows 2000 SP4. Apply the updated Windows 2000 SP4 security update that is mentioned later in this article to help protect your computer from this vulnerability.

Windows 2000 SP4
The following file is available for download from the Microsoft Download Center:

All languages: Download the Q329115 package now

Release Date: November 11, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Windows 2000 SP2 and SP3
The following file is available for download from the Microsoft Download Center:

All languages: Download the Q329115 package now

Release Date: November 20, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Note If you apply this fix on a RIS member server, you must also apply the fix on all domain controllers in your domain. If you do not, RIS clients cannot authenticate by using the user principal name (UPN) format. If you use the UPN format, you receive the following error message:

Logon error

The system cannot validate your user name, password, or domain name. Verify that your user name and domain name are correct, and then retype your password. Passwords must be typed using the correct case. Be sure the CAPS LOCK key is not pressed.

Installation Information
You must restart your computer after you apply this update. This update supports the following Setup switches:
 * /?: Display the list of installation switches.
 * /u: Unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /n: Do not back up files for removal.
 * /o: Overwrite OEM files without prompting.
 * /z: Do not restart when installation is complete.
 * /q: Quiet mode (no user interaction).
 * /l: List installed hotfixes.
 * /x: Extracts the files without running Setup.

For example, to install the update without any user intervention, and then not to force the computer to restart, use the following command line:

Windows 2000 SP4
windows2000-kb329115-x86-enu /u /q /z

Windows 2000 SP2 and SP3
q329115_w2k_sp4_x86_en /u /q /z

Warning Your computer is vulnerable until you restart it.

File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are copied to the %WINDIR%\System32 folder:

Windows 2000 SP4
  Date         Time   Version        Size    File name ---  14-Jul-2003  20:18  5.0.1558.6608  90,384  Cryptdlg.dll

Windows 2000 SP2 and SP3
  Date        Time  Version           Size    File name 26-Aug-2002 12:45 5.0.2195.5781    123,664 Adsldp.dll 26-Aug-2002 12:45 5.0.2195.5781    131,344 Adsldpc.dll 26-Aug-2002 12:45 5.0.2195.5781     62,736 Adsmsext.dll 26-Aug-2002 12:45 5.0.2195.5992    358,160 Advapi32.dll 26-Aug-2002 12:45 5.0.2195.5265     42,256 Basesrv.dll 26-Aug-2002 12:45 5.0.2195.5855     49,424 Browser.dll 25-Sep-2002 16:36 5.131.2195.6072  469,776 Crypt32.dll 25-Sep-2002 16:36 5.0.1558.6072     90,384 Cryptdlg.dll 26-Aug-2002 12:45 5.0.2195.6012    135,952 Dnsapi.dll 07-Nov-2002 19:08 5.0.2195.6076     96,016 Dnsrslvr.dll 26-Aug-2002 12:45 5.0.2195.5722     45,328 Eventlog.dll 26-Aug-2002 12:45 5.0.2195.5907    222,992 Gdi32.dll 26-Aug-2002 12:45 5.0.2195.5859    145,680 Kdcsvc.dll 04-Jun-2002 17:31 5.0.2195.5859    199,952 Kerberos.dll 26-Aug-2002 12:45 5.0.2195.6011    708,880 Kernel32.dll 21-Aug-2002 12:27 5.0.2195.6023     71,248 Ksecdd.sys 22-Jul-2002 19:54 5.0.2195.5960    507,152 Lsasrv.dll 22-Jul-2002 19:54 5.0.2195.5960     33,552 Lsass.exe 26-Aug-2002 12:45 5.0.2195.4733    332,560 Msgina.dll 12-Aug-2002 20:54 5.0.2195.6006    108,816 Msv1_0.dll 26-Aug-2002 12:45 5.0.2195.5979    307,472 Netapi32.dll 26-Aug-2002 12:45 5.0.2195.5966    360,720 Netlogon.dll 06-Sep-2002 14:40 5.0.2195.6044    917,264 Ntdsa.dll 26-Aug-2002 12:45 5.0.2195.5936    119,568 Psbase.dll 26-Aug-2002 12:45 5.0.2195.6025    389,392 Samsrv.dll 26-Aug-2002 12:45 5.0.2195.5951    129,296 Scecli.dll 26-Aug-2002 12:45 5.0.2195.5951    302,864 Scesrv.dll 23-Oct-2002 14:05 5.0.2195.6100    138,752 Sp3res.dll 13-Jun-2001 01:05 5.0.2195.3727      3,856 Svcpack1.dll 26-Aug-2002 12:45 5.0.2195.6000    379,664 User32.dll 26-Aug-2002 12:45 5.0.2195.5968    369,936 Userenv.dll 26-Aug-2002 12:45 5.0.2195.5859     48,912 W32time.dll 04-Jun-2002 17:32 5.0.2195.5859     57,104 W32tm.exe 24-Aug-2002 14:50 5.0.2195.6028  1,642,416 Win32k.sys 15-Aug-2002 11:30 5.0.2195.6013    179,472 Winlogon.exe 26-Aug-2002 12:45 5.0.2195.5935    243,472 Winsrv.dll 26-Aug-2002 12:45 5.0.2195.5944    125,712 Wldap32.dll 22-Jul-2002 19:54 5.0.2195.5960    507,664 Lsasrv.dll 56-bit 07-Nov-2002 19:08 5.0.2195.6011    708,880 Kernel32.dll UniProc 07-Nov-2002 19:08 5.0.2195.6028  1,642,416 Win32k.sys UniProc 26-Aug-2002 12:45 5.0.2195.5935    243,472 Winsrv.dll UniProc NOTE: Because of file dependencies, this update may contain additional files. This update requires Windows 2000 Service Pack 2 (SP2) or Service Pack 3 (SP3). For additional information about how to obtain the latest service pack, click the article number below to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

back to the top

The following files, for the given language, are available for download from the Microsoft Download Center:

Windows NT Server 4.0

English Language Version

Arabic Language Version

Chinese (Simplified) Language Version

Chinese (Traditional) Language Version

Chinese (Hong Kong) Language Version

Czech Language Version

Danish Language Version

Dutch Language Version

Finnish Language Version

French Language Version

German Language Version

Hebrew Language Version

Hungarian Language Version

Italian Language Version

Japanese Language Version

Japanese NEC Language Version

Korean Language Version

Norwegian Language Version

Polish Language Version

Portuguese (Brazilian) Language Version

Russian Language Version

Spanish Language Version

Swedish Language Version

Thai Language Version

Windows NT Server 4.0, Terminal Server Edition

English Language Version

French Language Version

German Language Version

Japanese Language Version

Spanish Language Version

Release Date: November 20, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation information
You must restart your computer after you apply this update. This update supports the following Setup switches:
 * /y: Perform removal (only with /m or /q).
 * /f: Force programs to be closed at shutdown.
 * /n: Do not create an Uninstall folder.
 * /z: Do not restart when the updates is completed.
 * /q: Quiet or Unattended mode with no user interface (this switch is a superset of /m).
 * /m: Unattended mode with user interface.
 * /l: List installed hotfixes.
 * /x: Extracts the files without running Setup.

For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:

q329115i /q /z

Warning Your computer is vulnerable until you restart it.

File information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are copied to the %WINDIR%\System32 folder:

Windows NT 4.0   Date         Time   Version         Size     File name --  12-Sep-2002  21:10  5.131.1878.12   372,496  Crypt32.dll 25-Sep-2002 18:36  5.0.1558.6072    90,384  Cryptdlg.dll 26-Sep-2002 18:38  4.86.1964.1878  143,632  Schannel.dll 26-Sep-2002 18:38  4.87.1964.1878  112,912  Schannel.dll  128-bit Windows NT Server 4.0, Terminal Server Edition   Date         Time   Version         Size     File name --  12-Sep-2002  21:10  5.131.1878.12   372,496  Crypt32.dll 25-Sep-2002 18:36  5.0.1558.6072    90,384  Cryptdlg.dll 26-Sep-2002 18:38  4.86.1964.1878  143,632  Schannel.dll 26-Sep-2002 18:38  4.87.1964.1878  112,912  Schannel.dll  128-bit Note Because of file dependencies, this update requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6). For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

152734 How to Obtain the Latest Windows NT 4.0 Service Pack

back to the top

Download information
The following files are available for download from the Microsoft Download Center:

Windows Millennium Edition (Me)

All languages: Download the 329115 package now

Windows 98 and Windows 98 Second Edition

All languages: Download the 329115 package now

Release Date: November 20, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

File information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Millennium Edition

  Date         Time   Version        Size     File name 12-Sep-2002 20:51  5.131.2133.6   468,752  Crypt32.dll 25-Sep-2002 17:36  5.0.1558.6072   90,384  Cryptdlg.dll Windows 98 and Windows 98 Second Edition

  Date         Time   Version         Size     File name -  12-Sep-2002  20:10  5.131.1878.12   372,496  Crypt32.dll 25-Sep-2002 17:36  5.0.1558.6072    90,384  Cryptdlg.dll 26-Sep-2002 17:38  4.87.1964.1878  112,912  Schannel.dll back to the top

Office v. X, Office 2001, Office 98 for Mac; Outlook Express for Mac; Internet Explorer for Mac
For information about obtaining updates for these products, visit the following Microsoft Web site:

http://www.microsoft.com/mac/downloads.aspx

back to the top



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Windows XP
This problem was first corrected in Microsoft Windows XP Service Pack 2.

Windows 2000
This problem was first corrected in Microsoft Windows 2000 Service Pack 4.



MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-050.mspx

For additional information about correcting the problem that occurs if the correct file is not installed when you use QChain.exe, click the following article number to view the article in the Microsoft Knowledge Base:

815062 The correct file is not installed when you chain multiple hotfixes

Additional query words: ris logon error security_patch man-in-the-middle Q328145 328145.KB.EN-US

Keywords: kbhotfixserver kbqfe atdownload kbwinxpsp2fix kbenv kbwin2ksp4fix kbsecvulnerability kbsecbulletin kbbug kbfix kbsecurity kbwinxppresp2fix KB329115

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.