[Am-info] Microsoft Certificate Enrollment Control Security Hole
Fred A. Miller
fmiller@lightlink.com
Fri, 06 Sep 2002 01:06:33 -0400
Microsoft Certificate Enrollment Control Security Hole
Microsoft has issued a security bulletin warning of a critical
hole in the Certificate Enrollment Control component of Windows,
an ActiveX control used to request new certificates on line and
to install them. The bulletin says that the Certificate Enrollment
Control can also be used to remotely corrupt or delete certificates,
and urges vulnerable users to install a patch. The vulnerability could
be exploited by tricking users into visiting a specially crafted
malicious web page or opening HTML e-mail. Affected versions of
Windows include 98, 98SE, Millennium, NT 4.0, 2000 and XP; earlier
versions weren't tested because they are no longer supported.
http://www.theregister.co.uk/content/55/26859.html
http://www.computerworld.com/securitytopics/security/holes/story/0,1080
1,73864,00.html
http://www.microsoft.com/technet/security/bulletin/ms02-048.asp
--
"The only secure Microsoft software is what's still
shrink-wrapped in their warehouse..." (Forno)