Microsoft Security Bulletin MS02-050

Certificate Validation Flaw Could Enable Identity Spoofing (Q329115)

Originally posted: September 04, 2002
Updated: November 11, 2003

Summary

Who should read this bulletin:
Customers using Microsoft® Windows®, Office for Mac, Internet Explorer for Mac, or Outlook Express for Mac.

Impact of vulnerability:
Identity spoofing and, in some cases, ability to gain control over a user's system.

Maximum Severity Rating:
Important

Recommendation:
Customers should install the updated version of the patch immediately, where necessary.

Affected Software:

  • Microsoft Windows 98
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows Me
  • Microsoft Windows NT® 4.0
  • Microsoft Windows NT 4.0, Terminal Server Edition
  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Office for Mac
  • Microsoft Internet Explorer for Mac
  • Microsoft Outlook Express for Mac

General Information

Technical details

Frequently asked questions

Patch availability

Other information:

Acknowledgments

Microsoft thanks the UK National Infrastructure Security Co-ordination Centre (NISCC) for reporting the newly discovered variant and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article Q329115 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (September 04, 2002): Bulletin Created.
  • V2.0 (September 05, 2002): Bulletin updated to include patch availability for Windows 98, Windows 98 Second Edition, and Windows Me.
  • V2.1 (September 05, 2002): Bulletin updated to provide link to single download page for all Windows XP patches.
  • V2.2 (September 05, 2002): Bulletin updated to give correct reference to XP download locations for supported languages.
  • V3.0 (September 09, 2002): Bulletin updated to advise customers of the availability of a Windows 2000 version of the patch, and to include information in the Caveats section.
  • V3.1 (September 18, 2002): Bulletin updated to change Windows Me download link.
  • V3.2 (September 20, 2002): Installation platforms section updated to indicate that a supported version of Internet Explorer is required on Windows platforms.
  • V3.3 (October 17, 2002): Bulletin updated to advise customers of the availability of the Mac patches.
  • V4.0 (November 20, 2002): Bulletin updated to advise of the availability of updated patches that eliminate the caveat discussed in V3.0 of the bulletin as well as a new variant of the vulnerability.
  • V4.1 (February 28, 2003): Bulletin updated to advise that customers who have first installed this security patch and then upgraded their system to Internet Explorer 6.0 Service Pack 1 will need to reapply the patch.
  • V4.2 (July 24, 2003): Updated Mac download links.
  • V5.0 (November 11,2003): Bulletin updated to advise on the availability of a new security patch for customers who installed Windows 2000 Service Pack 4 and then installed Internet Explorer 6.0 Service Pack 1.