Feeds

MS patches bogus certificate hole on NT, XP

The rest of you, Mac users too, will have to wait

  • alert
  • submit to reddit

Intelligent flash storage arrays

Microsoft has finally begun patching a severe security flaw in its implementation of digital-certificate basic-constraints checking which we've been ranting about for nearly a month. The stuff-up makes it possible for SSL and e-mail signature certs to be forged.

Currently, Win-NT and XP users have fixes available for their kit. This leaves Win-98, 98-SE, ME, and 2K users waiting for patches which will be 'issued shortly,' the company says. There will also be patches for numerous versions of Internet Explorer, MS-Office, and Outlook Express for the Mac. On Windows it's necessary only to fix CryptoAPI for each OS version, but on Macs the situation is reversed; each Microsoft application needs to be fixed separately -- so if you're using more than one, you'll need more than one patch.

Interestingly, MS rates this Trustworthy Computing stuff-up 'Critical', in contradiction to their earlier whitewash of the issue.

Even now, with the 'C' word plastered all over the MS bulletin, the company can't resist plugging in every bit of soft-pedal boilerplate from its original 'what, us worry?' PR offering. There is no mention of the fact that a valid certificate and key have already been circulated with SSLsniff, an exploit tool developed by Mike Benham, who first reported the issue.

There is also no mention of the way SSLsniff can be used to intercept a third party's SSL session where the victim and attacker are on the same LAN. Indeed, there's no mention of Benham himself, but that's probably due to Redmond's irritation with him for spilling the beans before they were ready to have them spilt. Of course there was always a simple workaround: Windows users could have used Mozilla for both e-mail and browsing, and simply not been troubled. For its part, MS seems not to have appreciated the the elegance of this solution.

The MS bulletin and links to the patches can be found here. ®

Remote control for virtualized desktops

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
First in line to order a Nexus 6? AT&T has a BRICK for you
Black Screen of Death plagues early Google-mobe batch
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.