Windows flaw threatens PC services

29 Aug 2002 07:32


Microsoft is urging Windows users to update their systems to patch a vulnerability that corrupts the digital certificates used in network services

Microsoft said on Wednesday that a critical flaw in most versions of the company's Windows operating system could allow malicious attackers to corrupt the digital certificates that PCs use to connect to network services.

The vulnerability can be exploited via a special coded ActiveX inserted into hypertext markup language (HTML), the lingua franca of the Web. To fall victim to attack, a PC user would have to browse a Web site, or open an HTML email, specifically set up to take advantage of the vulnerability.

"(The flaw) could enable a Web page, through an extremely complex process, to invoke the (ActiveX) control in a way that would delete certificates on a user's system," Microsoft warned in an advisory released late on Wednesday.

Such digital certificates are used to hold encryption keys used in email, the encrypted files system (ESS) that is shipped with certain versions of Windows, and in the Secure Sockets Layer communications protocol used by many e-commerce Web sites. ESS is shipped in Windows 2000 and Windows XP Professional. While the flaw doesn't allow a malicious vandal to steal the certificates, it does allow the attacker to corrupt the data, rendering it useless to the PC's owner.

Depending on the certificates corrupted, the act would prevent the victim from encrypting and decrypting email, encrypting files and complicate the use of secure Web sites, Microsoft advised. The flaw occurs in the Certificate Enrollment ActiveX Control.

Microsoft suggests that all users of Windows Windows 98, Windows 98 Second Edition, Windows Millennium, Windows NT 4.0, Windows 2000 and Windows XP patch their system immediately.

The latest advisory brings the number of such warnings by the software giant to 48 for the year.

More enterprise IT news in ZDNet UK's Tech Update Channel.

For a weekly round-up of the enterprise IT news, sign up for the Tech Update newsletter.

Have your say instantly, and see what others have said. Go to the ZDNet news forum.

Let the editors know what you think in the Mailroom.

Story URL: http://news.zdnet.co.uk/security/0,1000000189,2121462,00.htm

Copyright © 1995-2008 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.