 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
4 |
 |
Members:
0 |
 |
Total:
4 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
David Gray
Posts:22
 |
| 10/16/2002 1:44 PM |
|
| What Is It?
All versions of Windows ship with an ActiveX control known as the Certificate Enrollment Control, the purpose of which is to allow web-based certificate enrollments. The control is used to process PKCS #10 compliant certificate requests, and upon receipt of the requested certificate, storing it in the user's local certificate store.
This would effectively create a denial of service attack on your machine; you would not be able to use one or more of the following services:
The Encrypting File System in Windows NT, 2000, and XP.
Digitally signed email, using any product that supports it, including both Outlook and Outlook Express.
Digitally signed program code, especially VBA code signing, which uses the Personal Certificate Store that is associated with Internet Explorer.
Probably electronic commerce, which I think depends on the presence of a valid Root Certificate.
In addition to disabling the use of these services to create new signatures, you might not have access to existing digitally signed content such as encrypted email messages and files stored in EFS volumes.
A malicious hacker could exploit the vulnerability in one of two ways.
Create a specially formatted Web page that would invoke the control in such a way as to cause damage such as I described above, host it on a Web server, and induce you to visit the page. Depending on your settings for scripting of ActiveX controls in the Internet Zone, the control might run without warning.
Send a specially formatted Web page to you as an email message. Depending on the security zone settings that apply to such pages, the result could easily be the same as if the page were hosted on a Web server.
Either way, if the ActiveX control runs, you've been had.
Anybody is subject to attack by the first method. Anybody running Outlook Express 5, Outlook 97/98, Eudora, or another mail program that uses the Internet Explorer rendering engine to render HTML pages is vulnerable to the second method.
Users of Outlook 2000 with the SR-1 Security Update or with SR-2, Outlook 2002 (XP), or Outlook Express 6, which comes with Windows XP, is subject to attack by the second method only if you have changed the security zone for mail to something other than the Restricted Zone or tinkered with the settings for the Restricted Zone. You haven't done either, have you. Good!
What Should You Do?
Install an updated version of the Certificate Enrollment Control by visiting the link below that corresponds to your version of Windows.
Windows 98
http://www.microsoft.com/windows98/downloads/contents/WUCritical/q323172/default.asp
Windows 98 Second Edition
http://www.microsoft.com/windows98/downloads/contents/WUCritical/q323172/default.asp
Windows Me
http://download.microsoft.com/download/WINME/PATCH/24421/WINME/EN-US/323172USAM.EXE
Windows NT 4.0
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41747
Windows NT 4.0, Terminal Server Edition
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41361
Windows 2000
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41568
Windows XP
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41598
Windows XP 64-bit Edition
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41598
When you click the Download button, you will be given a choice of saving the file or running it from the Web server. If you want to download a copy to apply to other computers, choose the Save option, then double-click the saved file to run it on the machine onto which you just saved it.
Either way, you will be asked to accept the End User License Agreement (EULA). Click Yes to accept and follow the instructions. The next prompt you see should be for a restart.
At the end of the installation, you will be told that your computer must be restarted to complete the installation. When you press the OK button, the machine will restart on its own. If it fails to do so for any reason, use the Start Menu to shut down and restart.
Additional Information
The control contains a flaw that could enable a web page, through an extremely complex process, to invoke the control in a way that would delete certificates on a user's system. An attacker who successfully exploited the vulnerability could corrupt trusted root certificates, EFS encryption certificates, email signing certificates, and any other certificates on the system, thereby preventing the user from using these features.
You can read all the gory details in Microsoft Product Security Bulletin MS02-048, "Flaw in Certificate Enrollment Control Could Allow Deletion of Digital Certificates (Q323172)" at http://www.microsoft.com/technet/security/bulletin/ms02-048.asp.
This concludes this VirusWarning notice, dated Thursday, 29 August 2002.
David Gray
P6 Consulting
V: +1 (972) 751-0254
TZ: USA Central, GMT -5
E: mailto:dagray@p6c.com
W: http://www.p6c.com
David Gray, Moderator
A. K. A. Mr. Spock
You are more importnat than any technology we may employ. |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|