Microsoft reports 'critical' security flaw in Windows

August 30, 2002

Microsoft said Wednesday all versions of its Windows operating system released since 1996 have a security flaw that could allow attackers to delete digital certificates.

Redmond media giant said that a cracker could use an e-mail or a Web site to gain entry into a system and delete the pieces of data that are used to encrypt other data, such as e-mail messages.

The vulnerability is in an ActiveX control called the Certificate Enrollment Control, used to request new digital certificates over the Web and install them on computers.

Such digital certificates are in a number of functions by Windows operating systems, including encrypting e-mail, securing and authenticating Web transactions, or protecting the Windows 2000 and Windows XP Encrypting File Systems (ESS). While the flaw doesn't allow a malicious infiltrator to steal the certificates, it enables the attacker to corrupt the data, rendering it useless to the PC's owner.

The attack could be created with a help of specially crafted Web page aimed to exploit the vulnerability. By hosting the page on a Web site, it could be used to attack computers of users who visit the page. Another possibility would be e-mail sent in an HTML format; the flaw could then be exploited when the message was opened.

Windows runs more than 90 percent of the world's personal computers. The vulnerability also affects versions that run server computers, which distribute data for networks and Web sites.

However security experts believe the flaw isn't severe and is unlikely to be used by many crackers because it doesn't give them control of the computer or access to user data.

The versions of Windows that are vulnerable include Microsoft Windows 98, Windows 98 Second Edition, Windows Millennium, Windows NT 4.0, Windows 2000 and Windows XP.

Microsoft suggests that all users of those Windows versions patch their system immediately.