Microsoft to fix identity spoofing vulnerability

By Alun Williams

Posted on 5 Sep 2002 at 12:48

Microsoft is readying a patch the security vulnerability surrounding the improper use of digital certificate validation. The flaw enables attackers to electronically establish a false identity in order to gain access to systems or data.

Essentially, an attacker that possessed a valid electronic identity certificate could issue bogus subordinate certificates and carry out a variety of identity spoofing attacks.

For example, a Web site could shore up a bogus identity by falsely 'proving' its identity, by the means of establishing an SSL (secure socket layer) session as the legitimate Web site. Alternatively, someone could pose as a privileged user to infiltrate a certificate-based authentication system.

The Microsoft software affected by the security flaw includes Microsoft Office for Mac, Internet Explorer for Mac and Outlook Express for Mac, as well as 32-bit Windows operating systems.

The problem is officially rated as 'critical' for both Internet- and client-based Windows systems. The Microsoft programs for the Mac, however, are rated as a 'moderate' threat to client systems.

Window patches have been released and a patch for the Mac software is expected to follow shortly.

You can read bulletin MS02-050 at Microsoft.com.

Dropping down into technical detail, the flaw revolves around the IETF Profile of the X.509 digital certificate. There is a flaw in the implementation of the CryptoAPI functions that construct and validate certificate chains, and some functions do not properly deal with a 'Basic Constraints' field.