Microsoft Corp. on Thursday released a patch for the Windows flaw discovered last month that allows an attacker to generate and sign fake certificates for third-party Web sites.
The flaw affects all versions of Windows back to 95, Office for Mac, Internet Explorer for Mac and Outlook Express for Mac.
The vulnerability is actually in the Windows CryptoAPI, which constructs and validates certificate chains. It manifests itself in the way that Internet Explorer handles digital certificates used in Secure Socket Layer (SSL) connections to remote Web servers. Such certificates are typically issued and signed by certificate authorities (CAs) such as VeriSign Inc., and list the URL of the Web site to which they are issued.
But, IE doesnt check the Basic Constraints field on the certificate, which shows the maximum allowable length of the certificate chain as well as whether the certificate is a certificate authority or an end-entity certificate. As a result, a malicious Web site operator could generate and sign a bogus certificate for another site and collect credit card data and other information from any users lured to the site.
The Mac vulnerabilities are unrelated to the CryptoAPI and are in each of the individual products, Microsoft said.
The patches for the various products will be available here.
Currently, only the patches for Windows NT and XP are ready; the others will be released shortly.
- Windows Flaw Leaves Certificates Vulnerable
- Microsoft Warns of Flaws in ActiveX Control
- More Security Coverage