ActiveX flaw could delete certificates

ActiveX flaw could delete certificates

A flaw has been found in an ActiveX control that could restrict uses of Windows systems.

FOR MORE INFORMATION:
Microsoft security bulletin (including links to patches)

SearchSecurity news exclusive: "Should you keep security holes secret?"

SearchWin2000 news exclusive: "Security push makes patch management strategy a must"
Feedback on this story? Send your comments to News Writer Edward Hurley

The vulnerability is in the Certificate Enrollment Control component of ActiveX that controls Web-based certificate enrollments. Attackers could exploit the flaw with a specially designed Web page "through an extremely complex process" to use the control to delete certificates on remote systems, Microsoft said in an advisory. Potentially susceptible certificates include: root certificates, EFS encryption certificates and e-mail signing certificates

If the flaw is exploited, users could have trouble using secured Web sites and encrypting and decrypting data.

According to Microsoft, Windows 98, Windows 98 Second Edition, Windows Millennium, Windows NT 4.0, Windows 2000 and Windows XP are affected.

There are two avenues attackers could take to exploit the flaw. First, an attacker could set-up a Web page that exploits it, hence attacking vulnerable visitors to the site. Second, a HTML e-mail could be crafted to take advantage of it.

However, some users may not be open to such attacks if they are running certain security controls. The Web-based attack wouldn't work if ActiveX controls were disabled in the Security Zone, the advisory said. The e-mail attack wouldn't work either if the mail client handles HTML mail in the Restricted Sites Zone, as Outlook Express 6 and Outlook 2002 do by default. Outlook 98 and 2000 open HTML mail in the Restricted Sites Zone on systems installed with the Outlook E-mail Security Update.

Fixing the flaw is a matter of installing a patch, which is available for all affected versions. Internet Explorer 5 or later is required for installing the patch, Microsoft said.

Additionally, Microsoft said operators of Web sites that use the Certificate Enrollment Control will need to make a few minor tweaks to their Web applications to use the updated version of the control.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close