Article ID: 328463
Article Last Modified on 8/18/2005
APPLIES TO
- Microsoft Encarta Reference Suite 2001
This article was previously published under Q328463
Notice
For a Microsoft Windows CE .NET version 4.0 or version 4.1 version of this article, see 328464 or 328584 respectively.
SYMPTOMS
The Internet Engineering Task Force (IETF) profile of the X.509 certificate standard defines several optional fields that can be included in a digital certificate. One of these optional fields is the Basic Constraints field. This field indicates the maximum permitted length of the certificate's chain and whether the certificate is a certification authority (CA) or an end-entity certificate. However, the functions in Crypto API that construct and validate certificate chains (CertGetCertificateChain) do not check the Basic Constraints field.
This vulnerability might permit an attacker who has a valid end-entity certificate to issue a fake subordinate certificate that passes validation. Because Crypto API is used by many programs, this might permit a variety of identity spoofing attacks. These attacks might include:
- Setting up a Web site that poses as a different Web site, and "proves" its identity by setting up a Secure Sockets Layer (SSL) session as the legitimate Web site.
- Sending e-mail messages that are signed by using a digital certificate that appears to belong to a different user.
- Spoofing certificate-based authentication systems to gain entry as a highly privileged user.
- Digitally signing malicious software by using an Authenticode certificate that claims to have been issued to a company that users might trust.
For more information about this vulnerability, visit the following Microsoft Web site:
Microsoft Security Bulletin MS02-050
http://www.microsoft.com/technet/security/bulletin/MS02-050.mspx
RESOLUTION
A supported software update is now available from Microsoft as Windows CE 3.0 Core OS QFE 328463. To resolve this problem immediately, click the following article number for information about obtaining Windows CE Platform Builder and core operating system software updates:
837392 How to locate core operating system fixes for Microsoft Windows CE Platform Builder products
The global version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name ---------------------------------------------------------------------------- 18-Dec-2002 02:07 3.0.2.1217 256,600 021217_arm720_wce30-q328463.exe 18-Dec-2002 02:07 3.0.2.1217 256,600 021217_ppc403_wce30-q328463.exe 18-Dec-2002 02:07 3.0.2.1217 256,600 021217_ppc821_wce30-q328463.exe 18-Dec-2002 02:07 3.0.2.1217 256,600 021217_r3000_wce30-q328463.exe 18-Dec-2002 02:07 3.0.2.1217 256,600 021217_r4100_wce30-q328463.exe 18-Dec-2002 02:07 3.0.2.1217 256,600 021217_r4111_wce30-q328463.exe 18-Dec-2002 02:07 3.0.2.1217 256,600 021217_r4300_wce30-q328463.exe 18-Dec-2002 02:07 3.0.2.1217 256,600 021217_sa1100_wce30-q328463.exe 18-Dec-2002 02:07 3.0.2.1217 256,600 021217_sh3_wce30-q328463.exe 18-Dec-2002 02:07 3.0.2.1217 256,600 021217_sh4_wce30-q328463.exe 18-Dec-2002 02:08 3.0.2.1217 256,600 021217_thumb_wce30-q328463.exe 18-Dec-2002 02:08 3.0.2.1217 256,600 021217_x86_wce30-q328463.exe
The global version of this package should have the following file attributes or later:
Date Time Version Size File name ------------------------------------------------------------ Path: Public\Commaddon\Oak\Lib\Arm\ARM720\Ce\Debug 14-Oct-2002 18:06 18,708 Crypt32.lib 14-Oct-2002 18:06 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Arm\ARM720\Ce\Retail 14-Oct-2002 18:05 18,616 Crypt32.lib 14-Oct-2002 18:05 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Arm\SA1100\Ce\Debug 14-Oct-2002 17:38 18,700 Crypt32.lib 14-Oct-2002 17:38 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Arm\SA1100\Ce\Retail 14-Oct-2002 17:36 18,612 Crypt32.lib 14-Oct-2002 17:36 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Mips\R3000\Ce\Debug 14-Oct-2002 17:48 19,808 Crypt32.lib 14-Oct-2002 17:48 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Mips\R3000\Ce\Retail 14-Oct-2002 17:46 19,706 Crypt32.lib 14-Oct-2002 17:46 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Mips\R4100\Ce\Debug 14-Oct-2002 17:51 19,808 Crypt32.lib 14-Oct-2002 17:51 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Mips\R4100\Ce\Retail 14-Oct-2002 17:50 19,698 Crypt32.lib 14-Oct-2002 17:50 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Mips\R4111\Ce\Debug 14-Oct-2002 17:54 18,346 Crypt32.lib 14-Oct-2002 17:54 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Mips\R4111\Ce\Retail 14-Oct-2002 17:53 18,268 Crypt32.lib 14-Oct-2002 17:53 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Mips\R4300\Ce\Debug 14-Oct-2002 17:57 19,808 Crypt32.lib 14-Oct-2002 17:57 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Mips\R4300\Ce\Retail 14-Oct-2002 17:56 19,698 Crypt32.lib 14-Oct-2002 17:56 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Ppc\PPC403\Ce\Debug 14-Oct-2002 18:00 18,990 Crypt32.lib 14-Oct-2002 18:00 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Ppc\PPC403\Ce\Retail 14-Oct-2002 17:59 18,976 Crypt32.lib 14-Oct-2002 17:59 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Ppc\PPC821\Ce\Debug 14-Oct-2002 18:03 18,990 Crypt32.lib 14-Oct-2002 18:03 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Ppc\PPC821\Ce\Retail 14-Oct-2002 18:02 18,976 Crypt32.lib 14-Oct-2002 18:02 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Shx\SH3\Ce\Debug 14-Oct-2002 17:41 18,954 Crypt32.lib 14-Oct-2002 17:41 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Shx\SH3\Ce\Retail 14-Oct-2002 17:40 18,994 Crypt32.lib 14-Oct-2002 17:40 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Shx\SH4\Ce\Debug 14-Oct-2002 17:45 18,954 Crypt32.lib 14-Oct-2002 17:45 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Shx\SH4\Ce\Retail 14-Oct-2002 17:43 18,994 Crypt32.lib 14-Oct-2002 17:43 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Thumb\ARM720\Ce\Debug 14-Oct-2002 18:09 18,908 Crypt32.lib 14-Oct-2002 18:09 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\Thumb\ARM720\Ce\Retail 14-Oct-2002 18:07 18,748 Crypt32.lib 14-Oct-2002 18:07 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\X86\I486\CE\Debug 14-Oct-2002 17:35 18,190 Crypt32.lib 14-Oct-2002 17:35 77,824 Crypt32.pdb Path: Public\Commaddon\Oak\Lib\X86\I486\CE\Retail 14-Oct-2002 17:34 18,214 Crypt32.lib 14-Oct-2002 17:34 77,824 Crypt32.pdb
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
Keywords: kbbug kbfix KB328463