Article ID: 329115
Article Last Modified on 12/1/2007
APPLIES TO
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows XP Home Edition
- Microsoft Windows XP Professional
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional Edition
- Microsoft Windows 2000 Server
- Microsoft Windows NT Server 4.0 Standard Edition
- Microsoft Windows NT Server 4.0 Enterprise Edition
- Microsoft Windows NT Server 4.0, Terminal Server Edition
- Microsoft Windows NT Workstation 4.0 Developer Edition
- Microsoft Windows Millennium Edition
- Microsoft Windows 98 Second Edition
- Microsoft Windows 98 Standard Edition
- Microsoft Office 2001 for Mac
- Microsoft Office 98 for Macintosh
- Microsoft Office X for Mac Standard Edition
- Microsoft Internet Explorer 4.01 for Macintosh
- Microsoft Internet Explorer 4.5 for Macintosh
- Microsoft Internet Explorer 5.0 for Macintosh
- Microsoft Outlook Express 5.0 Macintosh Edition
This article was previously published under Q329115
This article replaces Microsoft Knowledge Base article 328145.
Technical updates
- November 11, 2003: This article was updated to provide information about a new security update for customers who installed Microsoft Windows 2000 Service Pack 4 (SP4) and then installed Microsoft Internet Explorer 6 Service Pack 1 (SP1).
SYMPTOMS
The original version of Microsoft Security Bulletin MS02-050 was released on September 5, 2002. On September 9, 2002, the bulletin was updated to advise customers that a Microsoft-issued digital certificate that was used to sign device drivers did not meet the stricter validation standards that were established by the patch. Therefore, customers who installed the patch might receive unexpected error messages when they installed new hardware, or in some cases, might not be able to install new hardware. An updated patch was released on November 20, 2002. This new patch not only prevents this problem, but also prevents a newly discovered variant of the original vulnerability.
The IETF profile of the X.509 certificate standard defines several optional fields that can be included in a digital certificate. One of these is the Basic Constraints field, which indicates the maximum permitted length of the certificate's chain and whether the certificate is a certification authority or an end-entity certificate. However, the functions in CryptoAPI that construct and validate certificate chains (the CertGetCertificateChain, CertVerifyCertificateChainPolicy, and WinVerifyTrust functions) do not check the Basic Constraints field. The same flaw, unrelated to CryptoAPI, is also present in several Microsoft products for Macintosh.
The vulnerability that was identified in the original version of the bulletin might permit an attacker who has a valid end-entity certificate to issue a subordinate certificate that, although not actually valid, passes validation. Because CryptoAPI is used by many programs, this might permit a variety of identity spoofing attacks. These might include:
- Setting up a Web site that poses as a different Web site, and "proving" its identity by establishing an SSL session as the legitimate Web site.
- Sending e-mail messages that are signed by using a digital certificate that purportedly belongs to a different user.
- Spoofing certificate-based authentication systems to gain entry as a highly privileged user.
- Digitally signing malicious software by using an Authenticode certificate that claims to have been issued to a company that users might trust.
The newly discovered vulnerability that was announced on November 20, 2002, is closely related to the vulnerability that is discussed in the original version of the bulletin. Like that vulnerability, the new vulnerability involves a flaw in the way in which certificate validation is performed. However, this vulnerability might permit an attacker to gain control over a user's computer. Because a fix for this vulnerability was not included in the original version of the patch, Microsoft strongly recommends that customers install the new patch, even if they installed the original version of the patch.
Only Microsoft Windows 98, Microsoft Windows 98 Second Edition, Microsoft Windows NT 4.0, and Microsoft Windows NT 4.0, Terminal Server Edition, are affected by this variant of the vulnerability.
RESOLUTION
Windows XP
Service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to obtain the latest Windows XP service pack
Update download information
The following file is available for download from the Microsoft Download Center:
All languages: ![[GRAPHIC: Download]](/wiki/index.php?title=File:Download.gif){kind=small}
Download the Q329115 package now
Release Date: November 20, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Installation information
You must restart your computer after you apply this update. This update supports the following Setup program switches:
- /?: Display the list of installation switches.
- /u: Unattended mode.
- /f: Force other programs to quit when the computer shuts down.
- /n: Do not back up files for removal.
- /o: Overwrite OEM files without prompting.
- /z: Do not restart when installation is complete.
- /q: Quiet mode (no user interaction).
- /l: List installed hotfixes.
- /x Extracts the files without running Setup.
For example, to install the update without any user intervention, and then not to force the computer to restart, use the following command line:
q329115_wxp_sp2_x86_enu /u /q /z
Warning Your computer is vulnerable until you restart it.
File information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
The following files are copied to the %WINDIR%\System32 folder:
Windows XP Home Edition and Professional
Date Time Version Size File name --------------------------------------------------------- 23-Sep-2002 20:10 5.131.2600.1123 544,256 Crypt32.dll
Windows XP 64-Bit Edition
Date Time Version Size File name ----------------------------------------------------------- 23-Sep-2002 20:10 5.131.2600.1123 1,920,512 Crypt32.dll 22-Sep-2002 02:26 5.131.2600.1123 544,256 Wcrypt32.dll
Windows 2000
Service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
Important A regression may occur when you are installing Internet Explorer 6 Service Pack 1 (SP1) on computers that are running Windows 2000 Service Pack (SP4). This regression removes the update that is discussed in this bulletin and that is provided as part of Windows 2000 SP4. Apply the updated Windows 2000 SP4 security update that is mentioned later in this article to help protect your computer from this vulnerability.
Update download information
Windows 2000 SP4
The following file is available for download from the Microsoft Download Center:
All languages: Download the Q329115 package now
Release Date: November 11, 2003
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Windows 2000 SP2 and SP3
The following file is available for download from the Microsoft Download Center:
All languages: Download the Q329115 package now
Release Date: November 20, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Note If you apply this fix on a RIS member server, you must also apply the fix on all domain controllers in your domain. If you do not, RIS clients cannot authenticate by using the user principal name (UPN) format. If you use the UPN format, you receive the following error message:
Installation Information
You must restart your computer after you apply this update. This update supports the following Setup switches:
- /?: Display the list of installation switches.
- /u: Unattended mode.
- /f: Force other programs to quit when the computer shuts down.
- /n: Do not back up files for removal.
- /o: Overwrite OEM files without prompting.
- /z: Do not restart when installation is complete.
- /q: Quiet mode (no user interaction).
- /l: List installed hotfixes.
- /x: Extracts the files without running Setup.
For example, to install the update without any user intervention, and then not to force the computer to restart, use the following command line:
Windows 2000 SP4
windows2000-kb329115-x86-enu /u /q /z
Windows 2000 SP2 and SP3
q329115_w2k_sp4_x86_en /u /q /z
Warning Your computer is vulnerable until you restart it.
File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
The following files are copied to the %WINDIR%\System32 folder:
Windows 2000 SP4
Date Time Version Size File name ------------------------------------------------------- 14-Jul-2003 20:18 5.0.1558.6608 90,384 Cryptdlg.dll
Windows 2000 SP2 and SP3
Date Time Version Size File name -------------------------------------------------------- 26-Aug-2002 12:45 5.0.2195.5781 123,664 Adsldp.dll 26-Aug-2002 12:45 5.0.2195.5781 131,344 Adsldpc.dll 26-Aug-2002 12:45 5.0.2195.5781 62,736 Adsmsext.dll 26-Aug-2002 12:45 5.0.2195.5992 358,160 Advapi32.dll 26-Aug-2002 12:45 5.0.2195.5265 42,256 Basesrv.dll 26-Aug-2002 12:45 5.0.2195.5855 49,424 Browser.dll 25-Sep-2002 16:36 5.131.2195.6072 469,776 Crypt32.dll 25-Sep-2002 16:36 5.0.1558.6072 90,384 Cryptdlg.dll 26-Aug-2002 12:45 5.0.2195.6012 135,952 Dnsapi.dll 07-Nov-2002 19:08 5.0.2195.6076 96,016 Dnsrslvr.dll 26-Aug-2002 12:45 5.0.2195.5722 45,328 Eventlog.dll 26-Aug-2002 12:45 5.0.2195.5907 222,992 Gdi32.dll 26-Aug-2002 12:45 5.0.2195.5859 145,680 Kdcsvc.dll 04-Jun-2002 17:31 5.0.2195.5859 199,952 Kerberos.dll 26-Aug-2002 12:45 5.0.2195.6011 708,880 Kernel32.dll 21-Aug-2002 12:27 5.0.2195.6023 71,248 Ksecdd.sys 22-Jul-2002 19:54 5.0.2195.5960 507,152 Lsasrv.dll 22-Jul-2002 19:54 5.0.2195.5960 33,552 Lsass.exe 26-Aug-2002 12:45 5.0.2195.4733 332,560 Msgina.dll 12-Aug-2002 20:54 5.0.2195.6006 108,816 Msv1_0.dll 26-Aug-2002 12:45 5.0.2195.5979 307,472 Netapi32.dll 26-Aug-2002 12:45 5.0.2195.5966 360,720 Netlogon.dll 06-Sep-2002 14:40 5.0.2195.6044 917,264 Ntdsa.dll 26-Aug-2002 12:45 5.0.2195.5936 119,568 Psbase.dll 26-Aug-2002 12:45 5.0.2195.6025 389,392 Samsrv.dll 26-Aug-2002 12:45 5.0.2195.5951 129,296 Scecli.dll 26-Aug-2002 12:45 5.0.2195.5951 302,864 Scesrv.dll 23-Oct-2002 14:05 5.0.2195.6100 138,752 Sp3res.dll 13-Jun-2001 01:05 5.0.2195.3727 3,856 Svcpack1.dll 26-Aug-2002 12:45 5.0.2195.6000 379,664 User32.dll 26-Aug-2002 12:45 5.0.2195.5968 369,936 Userenv.dll 26-Aug-2002 12:45 5.0.2195.5859 48,912 W32time.dll 04-Jun-2002 17:32 5.0.2195.5859 57,104 W32tm.exe 24-Aug-2002 14:50 5.0.2195.6028 1,642,416 Win32k.sys 15-Aug-2002 11:30 5.0.2195.6013 179,472 Winlogon.exe 26-Aug-2002 12:45 5.0.2195.5935 243,472 Winsrv.dll 26-Aug-2002 12:45 5.0.2195.5944 125,712 Wldap32.dll 22-Jul-2002 19:54 5.0.2195.5960 507,664 Lsasrv.dll 56-bit 07-Nov-2002 19:08 5.0.2195.6011 708,880 Kernel32.dll UniProc 07-Nov-2002 19:08 5.0.2195.6028 1,642,416 Win32k.sys UniProc 26-Aug-2002 12:45 5.0.2195.5935 243,472 Winsrv.dll UniProc
NOTE: Because of file dependencies, this update may contain additional files. This update requires Windows 2000 Service Pack 2 (SP2) or Service Pack 3 (SP3). For additional information about how to obtain the latest service pack, click the article number below to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
Windows NT 4.0
Download information
The following files, for the given language, are available for download from the Microsoft Download Center:
Windows NT Server 4.0
English Language Version
Arabic Language Version
Chinese (Simplified) Language Version
Chinese (Traditional) Language Version
Chinese (Hong Kong) Language Version
Czech Language Version
Danish Language Version
Dutch Language Version
Finnish Language Version
French Language Version
German Language Version
Hebrew Language Version
Hungarian Language Version
Italian Language Version
Japanese Language Version
Japanese NEC Language Version
Korean Language Version
Norwegian Language Version
Polish Language Version
Portuguese (Brazilian) Language Version
Russian Language Version
Spanish Language Version
Swedish Language Version
Thai Language Version
Windows NT Server 4.0, Terminal Server Edition
English Language Version
French Language Version
German Language Version
Japanese Language Version
Spanish Language Version
Release Date: November 20, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Installation information
You must restart your computer after you apply this update. This update supports the following Setup switches:
- /y: Perform removal (only with /m or /q).
- /f: Force programs to be closed at shutdown.
- /n: Do not create an Uninstall folder.
- /z: Do not restart when the updates is completed.
- /q: Quiet or Unattended mode with no user interface (this switch is a superset of /m).
- /m: Unattended mode with user interface.
- /l: List installed hotfixes.
- /x: Extracts the files without running Setup.
For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:
q329115i /q /z
Warning Your computer is vulnerable until you restart it.
File information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
The following files are copied to the %WINDIR%\System32 folder:
Windows NT 4.0
Date Time Version Size File name ------------------------------------------------------------------ 12-Sep-2002 21:10 5.131.1878.12 372,496 Crypt32.dll 25-Sep-2002 18:36 5.0.1558.6072 90,384 Cryptdlg.dll 26-Sep-2002 18:38 4.86.1964.1878 143,632 Schannel.dll 26-Sep-2002 18:38 4.87.1964.1878 112,912 Schannel.dll 128-bit
Windows NT Server 4.0, Terminal Server Edition
Date Time Version Size File name ------------------------------------------------------------------ 12-Sep-2002 21:10 5.131.1878.12 372,496 Crypt32.dll 25-Sep-2002 18:36 5.0.1558.6072 90,384 Cryptdlg.dll 26-Sep-2002 18:38 4.86.1964.1878 143,632 Schannel.dll 26-Sep-2002 18:38 4.87.1964.1878 112,912 Schannel.dll 128-bit
Note Because of file dependencies, this update requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6). For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack
Windows Me, Windows 98 Second Edition, and Windows 98
Download information
The following files are available for download from the Microsoft Download Center:
Windows Millennium Edition (Me)
All languages: Download the 329115 package now
Windows 98 and Windows 98 Second Edition
All languages: Download the 329115 package now
Release Date: November 20, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
File information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows Millennium Edition
Date Time Version Size File name -------------------------------------------------------- 12-Sep-2002 20:51 5.131.2133.6 468,752 Crypt32.dll 25-Sep-2002 17:36 5.0.1558.6072 90,384 Cryptdlg.dll
Windows 98 and Windows 98 Second Edition
Date Time Version Size File name --------------------------------------------------------- 12-Sep-2002 20:10 5.131.1878.12 372,496 Crypt32.dll 25-Sep-2002 17:36 5.0.1558.6072 90,384 Cryptdlg.dll 26-Sep-2002 17:38 4.87.1964.1878 112,912 Schannel.dll
Office v. X, Office 2001, Office 98 for Mac; Outlook Express for Mac; Internet Explorer for Mac
For information about obtaining updates for these products, visit the following Microsoft Web site:
STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the "Applies to" section.
Windows XP
This problem was first corrected in Microsoft Windows XP Service Pack 2.
Windows 2000
This problem was first corrected in Microsoft Windows 2000 Service Pack 4.
MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:
For additional information about correcting the problem that occurs if the correct file is not installed when you use QChain.exe, click the following article number to view the article in the Microsoft Knowledge Base:
815062 The correct file is not installed when you chain multiple hotfixes
Additional query words: ris logon error security_patch man-in-the-middle Q328145 328145.KB.EN-US
Keywords: kbhotfixserver kbqfe atdownload kbwinxpsp2fix kbenv kbwin2ksp4fix kbsecvulnerability kbsecbulletin kbbug kbfix kbsecurity kbwinxppresp2fix KB329115
