News Stay informed about the latest enterprise technology news and product updates.

ActiveX flaw could delete certificates

ActiveX flaw could delete certificates

A flaw has been found in an ActiveX control that could restrict uses of Windows systems.

Microsoft security bulletin (including links to patches)

SearchSecurity news exclusive: "Should you keep security holes secret?"

SearchWin2000 news exclusive: "Security push makes patch management strategy a must"
Feedback on this story? Send your comments to News Writer Edward Hurley

The vulnerability is in the Certificate Enrollment Control component of ActiveX that controls Web-based certificate enrollments. Attackers could exploit the flaw with a specially designed Web page "through an extremely complex process" to use the control to delete certificates on remote systems, Microsoft said in an advisory. Potentially susceptible certificates include: root certificates, EFS encryption certificates and e-mail signing certificates

If the flaw is exploited, users could have trouble using secured Web sites and encrypting and decrypting data.

According to Microsoft, Windows 98, Windows 98 Second Edition, Windows Millennium, Windows NT 4.0, Windows 2000 and Windows XP are affected.

There are two avenues attackers could take to exploit the flaw. First, an attacker could set-up a Web page that exploits it, hence attacking vulnerable visitors to the site. Second, a HTML e-mail could be crafted to take advantage of it.

However, some users may not be open to such attacks if they are running certain security controls. The Web-based attack wouldn't work if ActiveX controls were disabled in the Security Zone, the advisory said. The e-mail attack wouldn't work either if the mail client handles HTML mail in the Restricted Sites Zone, as Outlook Express 6 and Outlook 2002 do by default. Outlook 98 and 2000 open HTML mail in the Restricted Sites Zone on systems installed with the Outlook E-mail Security Update.

Fixing the flaw is a matter of installing a patch, which is available for all affected versions. Internet Explorer 5 or later is required for installing the patch, Microsoft said.

Additionally, Microsoft said operators of Web sites that use the Certificate Enrollment Control will need to make a few minor tweaks to their Web applications to use the updated version of the control.

Dig Deeper on Web Server Threats and Countermeasures

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.