Microsoft KB Archive/328463

From BetaArchive Wiki
Knowledge Base


FIX: Security Fix for SSL Certificate Chain Verification

Article ID: 328463

Article Last Modified on 8/18/2005


APPLIES TO

  • Microsoft Encarta Reference Suite 2001


This article was previously published under Q328463

Notice

For a Microsoft Windows CE .NET version 4.0 or version 4.1 version of this article, see 328464 or 328584 respectively.

SYMPTOMS

The Internet Engineering Task Force (IETF) profile of the X.509 certificate standard defines several optional fields that can be included in a digital certificate. One of these optional fields is the Basic Constraints field. This field indicates the maximum permitted length of the certificate's chain and whether the certificate is a certification authority (CA) or an end-entity certificate. However, the functions in Crypto API that construct and validate certificate chains (CertGetCertificateChain) do not check the Basic Constraints field.

This vulnerability might permit an attacker who has a valid end-entity certificate to issue a fake subordinate certificate that passes validation. Because Crypto API is used by many programs, this might permit a variety of identity spoofing attacks. These attacks might include:

  • Setting up a Web site that poses as a different Web site, and "proves" its identity by setting up a Secure Sockets Layer (SSL) session as the legitimate Web site.
  • Sending e-mail messages that are signed by using a digital certificate that appears to belong to a different user.
  • Spoofing certificate-based authentication systems to gain entry as a highly privileged user.
  • Digitally signing malicious software by using an Authenticode certificate that claims to have been issued to a company that users might trust.

For more information about this vulnerability, visit the following Microsoft Web site:

Microsoft Security Bulletin MS02-050
http://www.microsoft.com/technet/security/bulletin/MS02-050.mspx


RESOLUTION

A supported software update is now available from Microsoft as Windows CE 3.0 Core OS QFE 328463. To resolve this problem immediately, click the following article number for information about obtaining Windows CE Platform Builder and core operating system software updates:

837392 How to locate core operating system fixes for Microsoft Windows CE Platform Builder products


The global version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 

   Date         Time   Version       Size     File name
   ----------------------------------------------------------------------------
   18-Dec-2002  02:07  3.0.2.1217    256,600  021217_arm720_wce30-q328463.exe  
   18-Dec-2002  02:07  3.0.2.1217    256,600  021217_ppc403_wce30-q328463.exe  
   18-Dec-2002  02:07  3.0.2.1217    256,600  021217_ppc821_wce30-q328463.exe  
   18-Dec-2002  02:07  3.0.2.1217    256,600  021217_r3000_wce30-q328463.exe  
   18-Dec-2002  02:07  3.0.2.1217    256,600  021217_r4100_wce30-q328463.exe  
   18-Dec-2002  02:07  3.0.2.1217    256,600  021217_r4111_wce30-q328463.exe  
   18-Dec-2002  02:07  3.0.2.1217    256,600  021217_r4300_wce30-q328463.exe  
   18-Dec-2002  02:07  3.0.2.1217    256,600  021217_sa1100_wce30-q328463.exe  
   18-Dec-2002  02:07  3.0.2.1217    256,600  021217_sh3_wce30-q328463.exe  
   18-Dec-2002  02:07  3.0.2.1217    256,600  021217_sh4_wce30-q328463.exe  
   18-Dec-2002  02:08  3.0.2.1217    256,600  021217_thumb_wce30-q328463.exe  
   18-Dec-2002  02:08  3.0.2.1217    256,600  021217_x86_wce30-q328463.exe

The global version of this package should have the following file attributes or later: 

   Date         Time   Version       Size     File name
   ------------------------------------------------------------
   Path: Public\Commaddon\Oak\Lib\Arm\ARM720\Ce\Debug
   14-Oct-2002  18:06                     18,708  Crypt32.lib
   14-Oct-2002  18:06                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Arm\ARM720\Ce\Retail
   14-Oct-2002  18:05                     18,616  Crypt32.lib
   14-Oct-2002  18:05                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Arm\SA1100\Ce\Debug
   14-Oct-2002  17:38                     18,700  Crypt32.lib
   14-Oct-2002  17:38                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Arm\SA1100\Ce\Retail
   14-Oct-2002  17:36                     18,612  Crypt32.lib
   14-Oct-2002  17:36                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Mips\R3000\Ce\Debug
   14-Oct-2002  17:48                     19,808  Crypt32.lib
   14-Oct-2002  17:48                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Mips\R3000\Ce\Retail
   14-Oct-2002  17:46                     19,706  Crypt32.lib
   14-Oct-2002  17:46                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Mips\R4100\Ce\Debug
   14-Oct-2002  17:51                     19,808  Crypt32.lib
   14-Oct-2002  17:51                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Mips\R4100\Ce\Retail
   14-Oct-2002  17:50                     19,698  Crypt32.lib
   14-Oct-2002  17:50                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Mips\R4111\Ce\Debug
   14-Oct-2002  17:54                     18,346  Crypt32.lib
   14-Oct-2002  17:54                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Mips\R4111\Ce\Retail
   14-Oct-2002  17:53                     18,268  Crypt32.lib
   14-Oct-2002  17:53                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Mips\R4300\Ce\Debug
   14-Oct-2002  17:57                     19,808  Crypt32.lib
   14-Oct-2002  17:57                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Mips\R4300\Ce\Retail
   14-Oct-2002  17:56                     19,698  Crypt32.lib
   14-Oct-2002  17:56                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Ppc\PPC403\Ce\Debug
   14-Oct-2002  18:00                     18,990  Crypt32.lib
   14-Oct-2002  18:00                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Ppc\PPC403\Ce\Retail
   14-Oct-2002  17:59                     18,976  Crypt32.lib
   14-Oct-2002  17:59                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Ppc\PPC821\Ce\Debug
   14-Oct-2002  18:03                     18,990  Crypt32.lib
   14-Oct-2002  18:03                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Ppc\PPC821\Ce\Retail
   14-Oct-2002  18:02                     18,976  Crypt32.lib
   14-Oct-2002  18:02                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Shx\SH3\Ce\Debug
   14-Oct-2002  17:41                     18,954  Crypt32.lib
   14-Oct-2002  17:41                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Shx\SH3\Ce\Retail
   14-Oct-2002  17:40                     18,994  Crypt32.lib
   14-Oct-2002  17:40                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Shx\SH4\Ce\Debug
   14-Oct-2002  17:45                     18,954  Crypt32.lib
   14-Oct-2002  17:45                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Shx\SH4\Ce\Retail
   14-Oct-2002  17:43                     18,994  Crypt32.lib
   14-Oct-2002  17:43                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Thumb\ARM720\Ce\Debug
   14-Oct-2002  18:09                     18,908  Crypt32.lib
   14-Oct-2002  18:09                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\Thumb\ARM720\Ce\Retail
   14-Oct-2002  18:07                     18,748  Crypt32.lib
   14-Oct-2002  18:07                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\X86\I486\CE\Debug
   14-Oct-2002  17:35                     18,190  Crypt32.lib
   14-Oct-2002  17:35                     77,824  Crypt32.pdb

   Path: Public\Commaddon\Oak\Lib\X86\I486\CE\Retail
   14-Oct-2002  17:34                     18,214  Crypt32.lib
   14-Oct-2002  17:34                     77,824  Crypt32.pdb

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Keywords: kbbug kbfix KB328463



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/328463&oldid=181714
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki