News

Microsoft Patches Critical Windows Vulnerability

• By Stephen Swoyer
• 09/05/2002

The software giant said that the vulnerability occurs because of a flaw in the way that its cryptography application programming interface (CryptoAPI) validates X.509 digital certificates. CryptoAPI is supported in Windows NT 4.0, Windows 98, Windows 98 Second Edition, Windows 2000, Windows Me and Windows XP.

Microsoft acknowledged that the same flaw, unrelated to CryptoAPI, is present in its Internet Explorer, Outlook Express and Office products for the Macintosh.

According to Microsoft, an attacker could exploit a flaw in the process by means of which CryptoAPI and the affected Macintosh applications construct and validate X.509 certificates to create a bogus digital certificate that's accepted as the genuine article by a vulnerable Windows or Macintosh system.

The software giant disclosed that code to exploit this vulnerability has already been published to the Internet.

An attacker who successfully exploits this vulnerability could perform a variety of identity-spoofing attacks, Microsoft conceded. Potential attack scenarios include:

• Spoofing a legitimate Web site to lure visitors into providing sensitive information, such as credit card number
• Spoofing of the digital signature of a legitimate user to send bogus e-mails
• Passing a bogus digital certificate to a system to spoof the identity of a legitimate user on that system.
• Digitally signing a dangerous program in the guise of a trustworthy user or company, in order to convince a user that it is safe to run it.

Although the software giant indicated that there are a number of factors that mitigate the scope of this vulnerability in different environments, it nonetheless assigned it a severity rating of “Critical” for all Internet servers, intranet servers and client systems running Windows. Macintosh systems with Internet Explorer, Outlook Express or Office installed are assessed with a “Moderate” rating.

Microsoft provided patches for Windows NT 4.0, Windows 2000 and Windows XP systems. Fixes for Windows 98, Windows Me and Macintosh systems will be published shortly, the software giant promised. Microsoft stressed that administrators should patch their systems immediately.

Microsoft Patches FoxPro Vulnerability

Yesterday, Microsoft disclosed a vulnerability in its Visual FoxPro 6.0 development tool that occurs as a result of Visual FoxPro’s failure to register properly with Internet Explorer.

Microsoft products typically register themselves with Internet Explorer when they're installed. This allows them to specify how Internet Explorer should handle files associated with them when referenced from a web page. For example, this facility allows a product to specify whether a user should be presented with a warning prompt before a file is opened.

Because Visual FoxPro 6.0 doesn’t perform this registration, however, it’s possible that a Web page could automatically launch a Visual FoxPro application. In most cases, Microsoft stresses, this alone wouldn’t result in a security vulnerability – FoxPro could be started, to be sure, but the application itself wouldn’t run. If, on the other hand, the filename of the application were constructed in a particular way, a second error that’s associated with the manner in which Visual FoxPro 6.0 evaluates application filenames could not only start FoxPro but allow the application to execute.

Microsoft acknowledges that an attacker who successfully exploits a vulnerability of this kind could possibly interrogate databases and issue system commands in the user’s security context.

Because a potential attacker could only assume the privileges associated with a compromised user’s security context, and because Visual FoxPro isn’t installed on many Internet-facing servers – or intranet servers, for that matter – Microsoft assigned the Visual FoxPro vulnerability a “Low” severity rating. For client systems, Microsoft assigned the vulnerability a “Moderate” severity rating.

Microsoft recommends that customers using Visual FoxPro should patch their systems immediately.