Who should read this bulletin: Customers using Microsoft® Windows® 98, Windows 98 Second Edition, Windows Millennium, Windows NT® 4.0, Windows 2000, or Windows XP.
Maximum Severity Rating:Critical August 28, 2002
All versions of Windows ship with an ActiveX control known as the Certificate Enrollment Control, the purpose of which is to allow web-based certificate enrollments. The control is used to submit PKCS #10 compliant certificate requests, and upon receiving the requested certificate, stores it in the user?s local certificate store.
The control contains a flaw that could enable a web page, through an extremely complex process, to invoke the control in a way that would delete certificates on a user?s system. An attacker who successfully exploited the vulnerability could corrupt trusted root certificates, EFS encryption certificates, email signing certificates, and any other certificates on the system, thereby preventing the user from using these features. Download Flaw in Certificate Enrollment Control Could Allow Deletion of Digital Certificates (Q323172)
Maximum Severity Rating:Critical August 28, 2002
All versions of Windows ship with an ActiveX control known as the Certificate Enrollment Control, the purpose of which is to allow web-based certificate enrollments. The control is used to submit PKCS #10 compliant certificate requests, and upon receiving the requested certificate, stores it in the user?s local certificate store.
The control contains a flaw that could enable a web page, through an extremely complex process, to invoke the control in a way that would delete certificates on a user?s system. An attacker who successfully exploited the vulnerability could corrupt trusted root certificates, EFS encryption certificates, email signing certificates, and any other certificates on the system, thereby preventing the user from using these features. Download Flaw in Certificate Enrollment Control Could Allow Deletion of Digital Certificates (Q323172)