NEW MS Patch (posted Aug. 28th, 2002) - Flaw in Certificate Enrollment

Discussion in 'other security issues & news' started by javacool, Aug 28, 2002.

Thread Status:
Not open for further replies.
  1. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Title: Flaw in Certificate Enrollment Control Could Allow
    Deletion of Digital Certificates (Q323172)
    Date: 28 August 2002
    Software: Microsoft Windows 98
    Microsoft Windows 98 Second Edition
    Microsoft Windows Millennium
    Microsoft Windows NT 4.0
    Microsoft Windows 2000
    Microsoft Windows XP
    Impact: Denial of service
    Max Risk: Critical
    Bulletin: MS02-048

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-048.asp.
    -
    ----------------------------------------------------------------------

    Issue:
    ======
    All versions of Windows ship with an ActiveX control known as the
    Certificate Enrollment Control, the purpose of which is to allow
    web-based certificate enrollments. The control is used to submit PKCS
    #10 compliant certificate requests, and upon receiving the requested
    certificate, stores it in the user's local certificate store.

    The control contains a flaw that could enable a web page, through
    an extremely complex process, to invoke the control in a way that
    would delete certificates on a user's system. An attacker who
    successfully exploited the vulnerability could corrupt trusted root
    certificates, EFS encryption certificates, email signing
    certificates,
    and any other certificates on the system, thereby preventing the user
    from using these features.

    Risk Rating:
    ============
    - Internet systems: Low
    - Intranet systems: Low
    - Client systems: Critical

    Patch Availability:
    ===================
    - A patch is available to fix this vulnerability. Please read the
    Security Bulletin at
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-048.asp
    for information on obtaining this patch.
     
  2. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Download locations for this patch Patches for all Windows platforms will be available from Windows Update on August 29, 2002. For users who want to download the patches immediately, please refer to the following locations:

    Microsoft Windows 98:
    http://www.microsoft.com/windows98/downloads/contents/WUCritical/q323172/default.asp

    Microsoft Windows 98 Second Edition:
    http://www.microsoft.com/windows98/downloads/contents/WUCritical/q323172/default.asp

    Microsoft Windows Me:
    http://download.microsoft.com/download/WINME/PATCH/24421/WINME/EN-US/323172USAM.EXE

    Microsoft Windows NT 4.0:
    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41747

    Microsoft Windows NT 4.0, Terminal Server Edition:
    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41361

    Microsoft Windows 2000:
    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41568

    Microsoft Windows XP:
    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41598

    Microsoft Windows XP 64-bit Edition:
    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41598

    -Javacool
     
  3. crockett

    crockett Registered Member

    Joined:
    Jul 15, 2002
    Posts:
    333
    :)Hi Javacool; hope you're doing fine.

    Pardon my ignorance on this matter, but I hope you will allow me a might-be-silly question...

    From what I just read, this critical vulnerability seems to imply some Active-X related phenomenon.

    Can we then deduct that it is only a concern for Internet Explorer's users ? Probably Outlook/Outlook Express also ?!

    How about systems running without any Active-X components allowed ?

    All this seems important, because if the vulnerability is only a flaw IF Active-X processes are allowed AND available to would-be-hackers, then disabling Active-X on one's system/browser should provide as much solutioning to the problem as one would desire !?

    Hope you can help clarifying this to me...

    Rgds, Crockett :cool:
     
  4. parkersxs

    parkersxs Registered Member

    Joined:
    Aug 6, 2002
    Posts:
    20
    I like your thinking Crockett. Many times side effects of the "patch" are as bad as the disease itself. I've always tried to stay away from apps that require active-x. Removed IE. Can never seem to get on to Microsofts web site with Opera though. Coincidence? Anyway I'll probably sit on the side until I know exactly what the patch entails.
     
  5. crockett

    crockett Registered Member

    Joined:
    Jul 15, 2002
    Posts:
    333
    Hi ParkerSxs;

    One of the first things I did when starting to somewhat begin to understand Internet security was completely disable the Active-X possibilities in Internet Explorer. Decided to after reading Wolfram Gieseke's book HACKER REPORT.

    Never had any problem to connect to any site after that, except for two of them which persisted to use only Active-X technology in building their web pages. I guess two sites over a surfing period of more than two years is no big deal.

    BTW, the second site is a new security-related site - I communicated with them to tell them using only Active-X to create their web pages didn't seem a very good nor consistent idea to me ;)

    Connecting to www.M$.com using Opera should be no problem at all - I do it relatively often to see what they tell in their patches-related public press releases. So I guess maybe your Opera configuration is not as precise as it could be, or perhaps a too-restrictively configured firewall could be the source of your problem ?!

    The only possibility that disappears when disabling Active-X in IE is to connect to M$ and use their Active Setup procedure to dwl patches or updates. But being an Opera user, you shouldn't need that feature too often :)

    Also, even for IE's fans, using Active Setup is not mandatory - just keeping an eye on new available patches and selecting any that one considers needed, then dwl it can easily be done without any Active-X.

    BTW, you're absolutely right - it's not rare to dwl a patch only to realize that the system then does no longer function as 'well' as it did before ! :)

    Rgds, Crockett :cool:
     
  6. parkersxs

    parkersxs Registered Member

    Joined:
    Aug 6, 2002
    Posts:
    20
    Crockett,

    Thanks for your experienced insight regarding the use of Active-x. With 98lite I can remove the option of Active-x, which I will shortly do. I just always figured there were some dependancies that would react badly if I removed Active-x completely.

    I followed the link above (MS) using Opera but even after messing with JS, cookies, etc. couldn't get the site to load. It's my current impression that for myself the patch is not needed.

    By the way, I keep all pertenant updates and patches for the OS's I use on disk just so those unfortunate reinstalls go much smoother.

    Thanks for the info!
     
  7. crockett

    crockett Registered Member

    Joined:
    Jul 15, 2002
    Posts:
    333
    Hi;

    I know this post may not really belong inside this 'patches-thread', but nevertheless I think it makes some sense to write it here.

    I recently read that some users encountered problems as far as installing/uninstalling some softs/patches is concerned. For example, ZoneAlarm is the one I most recently read about.

    IMHO one of the best tools one can get if concerned with computer security issues is a CDRom burning utility AND a 'ghosting' program - i.e. something like Symantec's Norton Ghost or PowerQuest's Drive Image.

    Then one can proceed as follows... You start with a formatted c-drive, and install your favorite OS, favorite tools, and configure all these the way you like it.

    Along the way, you make CDRom copies of the different stages of the installation process.

    Let's say, the first copy is a copy of your OS. The second one is [OS+configured mail-client+favorite word processing soft]. Next copy could be [the last copy + your favorite AV], and the next one would be [exactly the same + your favorite Firewall].

    What's my point ? In fact, I have two points to make.

    The first one is that when something bad happens to your system (could be a virus, a bugged new program, anything), you never have to worry about anything since you have COMPLETE and ALREADY CONFIGURED backup copies of your system, which you then re-copy on you hard-drive. Procedure's duration ? Something between five and ten minutes depending upon the number of MBytes to 'ghost back onto' the hard-drive.

    The second point is that when a new firewall comes up you are interested in testing, or a new patch, you then reinstall one of the non-complete copies (i.e. the one with everything except any firewall), and then install the new firewall you want to test. If it suits you, you again make a new complete copy of your hard-drive (again, takes only a few minutes). If the new PF (or patch) doesn't suit you after all, you then switch back to one of your previous configurations.

    So you always have (and keep) the choice to install on your hard-drive any of the different fresh configurations you safely keep on self-made CDRoms - anytime you want, e.g. as soon as you feel your system gets slower or doesn't operate as smoothly as it did before...

    This is one of the most useful things I ever learned as regards computer security, and again these ideas I owe to and picked in a Belgian Bernard Fabrot 's book (Réinstallez Windows [Editions Marabout]).

    Hope this may be of interest to you.

    Rgds, Crockett :cool:
     
Loading...
Thread Status:
Not open for further replies.