A flaw has been found in an ActiveX control that could restrict uses of Windows systems.
The vulnerability is in the Certificate Enrollment Control component of ActiveX that controls Web-based certificate enrollments. Attackers could exploit the flaw with a specially designed Web page "through an extremely complex process" to use the control to delete certificates on remote systems, Microsoft said in an advisory. Potentially susceptible certificates include: root certificates, EFS encryption certificates and e-mail signing certificates
If the flaw is exploited, users could have trouble using secured Web sites and encrypting and decrypting data.
According to Microsoft, Windows 98, Windows 98 Second Edition, Windows Millennium, Windows NT 4.0, Windows 2000 and Windows XP are affected.
There are two avenues attackers could take to exploit the flaw. First, an attacker could set-up a Web page that exploits it, hence attacking vulnerable visitors to the site. Second, a HTML e-mail could be crafted to take advantage of it.
However, some users may not be open to such attacks if they are running certain security controls. The Web-based attack wouldn't work if ActiveX controls were disabled in the Security Zone, the advisory said. The e-mail attack wouldn't work either if the mail client handles HTML mail in the Restricted Sites Zone, as Outlook Express 6 and Outlook 2002 do by default. Outlook 98 and 2000 open HTML mail in the Restricted Sites Zone on systems installed with the Outlook E-mail Security Update.
Fixing the flaw is a matter of installing a patch, which is available for all affected versions. Internet Explorer 5 or later is required for installing the patch, Microsoft said.
Additionally, Microsoft said operators of Web sites that use the Certificate Enrollment Control will need to make a few minor tweaks to their Web applications to use the updated version of the control.