In the security bulletin, Microsoft warned that because of a flaw, CryptoAPI does not properly validate a certain portion of a digital certificate. The flaw affecting Macintosh products is unrelated to CryptoAPI, according to the security bulletin. Windows uses cryptography to authenticate the validity of Web sites and software components such as software drivers, and to keep intruders from gaining control of key subsystems. "When we look at this particular issue, especially with the CryptoAPI, it shows these types of issues take thorough investigation," said Lynn Terwoerds, security programme manager for Microsoft's Security Response Center. "We're in the situation where we've done our thorough investigation...People want to know if there is trust. Well, there is." Microsoft strongly encouraged consumers and businesses to immediately install software patches posted to the company's Web site, to correct the flaw. But Windows 2000, one of the most popular Microsoft operating systems among businesses, has yet to be patched. Initially, the company made patches available for Windows NT 4, Windows NT 4 Terminal Server, Windows XP and Windows XP 64-bit Edition. Late on Thursday, Microsoft also released patches for Windows 98, Windows 98 Second Edition and Windows Me. Six Microsoft Macintosh programs also are affected by the flaw: Office v. X, Office 2001, Office 98, Internet Explorer for Mac OS 8 and 9, Internet Explorer for Mac OS X and Outlook Express 5.05. Patches are expected to be available soon for those products. Microsoft deemed the problem critical for the affected Windows products but moderate for the Macintosh applications. The Redmond, Washington-based company also noted that some older versions of the programs could be vulnerable to attack. Since Microsoft no longer supports the programs, no patches will be released for them. Microsoft could not say when the other patches would be made available. "We are working round the clock right now," Terwoerds said. "As soon as they're available, we'll release them." The problem potentially affects many other programs that might rely on Windows cryptography features. CryptoAPI is "part of the base operating system, so the problem will affect a lot of different products. We don't know, for example, what non-Microsoft products people have to be concerned about here," said Smith. Last month, Microsoft issued a warning about a separate flaw that also affects digital certificates. That flaw doesn't allow a hacker to steal the certificates, but it does let the attacker corrupt the data, rendering it useless to the PC's owner. Avenues of attack
Unpatched computers, particularly those running Windows, are vulnerable to a variety of avenues of attack, Microsoft warned. Because of the vulnerability, CryptoAPI might not recognise that a second digital certificate is bogus and would therefore fail to warn PC user. The issuer could then use that unauthorised certificate to redirect that person to a second Web site for conducting an online transaction using Secure Socket Layer. SSL, an encryption technology widely used in online transactions, lets Web servers scramble credit card numbers and other information so they can't be seen by prying eyes. In this instance, a person might start a legitimate transaction at one Web site, then be unknowingly redirected to a second, bogus site, analysts said. Security analyst Smith said the problem could become significant, since so many computers use software containing the flaw. "It's much more widespread than people originally thought," he said. "And, because this has to do with CryptoAPI, the problem may have existed for five years." Gartner's Pescatore emphasised that although no one has yet to really exploit the vulnerability, it does not negate the flaw's significance. Consumers have grown comfortable with the secure key symbol in a browser, which indicates that it's safe to conduct a transaction. "They believe Secure Socket Layer is running and it's safe to enter in their password, safe to enter in their credit card information," Pescatore said. "If this flaw were exploited, people could all of a sudden say, 'Wait a minute, it's not safe to put my credit card into Amazon.com or do trades on E*Trade, because how do I ever know I'm talking to E*Trade?'" Microsoft also is concerned about the vulnerability's potential impact on trusted online transactions. "That's why we're taking aggressive measures to let people know about this," Terwoerds said. In another potential exploit, a rogue Web site could trash a computer's root digital certificate issued by third-party authenticator VeriSign. With that mechanism broken, the person would no longer be able to conduct transactions over the Web. The hacker could then send an email that says, "The certificate is no longer working. Click here to install a new one." Pescatore said with that capability, if he had malicious intent, "I could go to VeriSign, get a certificate for Pescatore.com and trick you into thinking it was Amazon.com." Pescatore's example points to yet another possible abuse identified by Microsoft: sending, via email, a seemingly valid digital certificate that's actually signed by someone else. A hacking two-step
Still, analysts noted that the vulnerability would generally require some kind of two-step process for hackers to fully take advantage of it. But they could rely on habits ingrained in consumers who do business over the Web -- ingrained by Microsoft itself in some instances -- to help them succeed. "More and more consumers are using Windows Update and automatically updating their Microsoft software," Pescatore said. "They're getting trained to respond to 'You need to update, so click here.' These vulnerabilities exploit this behaviour." Terwoerds, who emphasised she was not trying to downplay the security flaw, agreed with the assessment by analysts that a multistep process would be required to make the exploit work. "Are users going to be able to go to all these bogus Web sites and give out credit card information?" she asked. "Is it possible? Yes. Is each a likely scenario? No." Wednesday's security warning comes after a long list of recent alerts. Attacks last week against Windows 2000 Server have stumped Microsoft, for example. In August alone, Microsoft issued eight security alerts. It has issued two so far in September. Microsoft has been issuing security alerts on a fairly frequent basis since January, when company chairman Bill Gates made security a top priority for the company. The company is likely to issue even more security bulletins as the year progresses, say analysts. "They started out with the server products and then moved on to the server applications," Pescatore said. "They've now moved on to the desktop OS and things like (Internet) Explorer. They're shaking out the laundry and all these bugs are flying out...that haven't been looked at. There's more to come."
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
