MS02-048: Flaw in Certificate Enrollment Control May Cause Digital Certificates to Be Deleted

The versions of Microsoft Windows that are listed in the "Applies to" section of this article include an ActiveX control that is known as the Certificate Enrollment control. This control is located in the Xenroll.dll binary. Windows uses this control to allow Web-based certificate enrollments and to submit PKCS #10-compliant certificate requests. When this control receives the requested certificate, it stores the certificate in the user's local certificate store, which is part of the user profile.

The Certificate Enrollment control contains a flaw that may allow a Web page, by using an extremely complex process, to run the control in a way that deletes the certificates on a user's system. An attacker who successfully exploits this vulnerability may be able to delete trusted root certificates, EFS encryption certificates, e-mail signing certificates, and any other certificates on the computer, thereby preventing the user from using these features.

An attack may be carried out in either of the following scenarios:

• The attacker may create a Web page that exploits the vulnerability, and then host this page on a Web site to attack users who visit this site.
• The attacker may send the page as an HTML e-mail message as a way to attack the recipient.

Mitigating Factors

• The Web site-based attack vector may not be exploited if ActiveX Controls are turned off in the security zone that is associated with the attacker's site.
• The message-based attack vector may not be exploited if the recipient's e-mail client handles HTML e-mail messages in the Restricted sites zone. By default, Microsoft Outlook Express 6 and Microsoft Outlook 2002 open e-mail messages in this zone. Microsoft Outlook 98 and Microsoft Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the security update that is available at the following Microsoft Web site has been installed:
  Outlook E-mail Security Update

  (http://www.microsoft.com/downloads/details.aspx?FamilyID=5C011C70-47D0-4306-9FA4-8E92D36332FE)
• This vulnerability does not allow certificates on smart cards to be deleted, even if the smart card is in the computer at the time of an attack.

Microsoft has released an update that prevents the flawed control from being called from Web pages and installs new versions of the control. The client update includes a registry change that turns off the earlier version of the control and installs the new version of the control. Because a common version of the Certificate Enrollment control must be provided to all supported clients, a dependency on CryptoAPI is created. The new Certificate Enrollment control is dependent on the functionality that is only available with Microsoft Internet Explorer 5.0 or later. Therefore, this update is not installed on computers that are not running Internet Explorer 5 or later. If you are not using Internet Explorer 5 or later, you receive the following error message: NOTE: If you add or remove components from your computer, you must reapply this update.

For more information about how to resolve this vulnerability, click any of the following links to review the section that applies to your operating system.

• Windows XP (All Versions)
• Windows 2000 (All Versions)
• Windows NT 4.0 (All Versions)
• Windows Millennium Edition, Windows 98 Second Edition, Windows 98

Windows XP (All Versions)

To resolve this problem, obtain the latest service pack for Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

Windows XP Pre-SP1 Download Information

If you have not applied Windows XP Service Pack 1 (SP1) or later, apply the appropriate patch to resolve this problem. The following files are available for download from the Microsoft Download Center:

Windows XP Professional and Windows XP Home: Windows XP 64-Bit Edition: Release Date: August 28, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base: Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information

Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.

To apply this update on a Windows XP-based client, the user who is logged on must be a member of the local Power Users group or the Administrators group.

You must restart your computer after you apply this update. This update supports the following Setup switches:

• -?: Display the list of installation switches.
• -u: Unattended mode.
• -f: Force other programs to quit when the computer shuts down.
• -n: Do not back up files for uninstallation.
• -o: Overwrite OEM files without prompting.
• -z: Do not restart when installation is complete.
• -q: Quiet mode (no user interaction).
• -l: List installed hotfixes.
• -x Extracts the files without running Setup.

For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line: WARNING: Your computer is vulnerable until you restart it.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (also known as Universal Time Coordinate [UTC]). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows 2000 (All Versions) Service Pack Information

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

Windows 2000 (All Versions) Hotfix Information

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Windows 2000 service pack that contains this fix.

To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following file is available for download from the Microsoft Download Center:
Release Date: August 28, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.

To apply this update on a Windows 2000-based client, the user who is logged on must be a member of the local Power Users group or the Administrators group.

Downloads of the Certificate Enrollment control (Xenroll.dll) to Alpha-based client computers from Windows 2000 that has certificate services installed is no longer supported.

You must restart your computer after you apply this update. This update supports the following Setup switches:

• -?: Display the list of installation switches.
• -u: Unattended mode.
• -f: Force other programs to quit when the computer shuts down.
• -n: Do not back up files for uninstallation.
• -o: Overwrite OEM files without prompting.
• -z: Do not restart when installation is complete.
• -q: Quiet mode (no user interaction).
• -l: List installed hotfixes.
• -x: Extracts the files without running Setup.

For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line: WARNING: Your computer is vulnerable until you restart it.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows NT 4.0 (All Versions)

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate the computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to the computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If the computer is sufficiently at risk, we recommend that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site: Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following files are available for download from the Microsoft Download Center:

Windows NT 4.0
English: Download the Q323172 package now

Arabic: Download the Q323172 package now

Chinese (Simplified): Download the Q323172 package now

Chinese (Traditional): Download the Q323172 package now

Chinese (Hong Kong): Download the Q323172 package now

Czech: Download the Q323172 package now

Danish: Download the Q323172 package now

Dutch: Download the Q323172 package now

Finnish: Download the Q323172 package now

French: Download the Q323172 package now

German: Download the Q323172 package now

Hebrew: Download the Q323172 package now

Hungarian: Download the Q323172 package now

Italian: Download the Q323172 package now

Japanese: Download the Q323172 package now

Korean: Download the Q323172 package now

Norwegian: Download the Q323172 package now

Polish: Download the Q323172 package now

Portuguese (Brazilian): Download the Q323172 package now

Russian: Download the Q323172 package now

Spanish: Download the Q323172 package now

Swedish: Download the Q323172 package now

Thai: Download the Q323172 package now

Release Date: August 28, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.

To apply this update on a Windows NT 4.0 client, the user who is logged on must be a member of the local Power Users group or the Administrators group.

Downloads of the Certificate Enrollment control (Xenroll.dll) to Alpha-based client computers from Windows NT 4.0 Server that has certificate services installed is no longer supported.

You must restart your computer after you apply this update. This update supports the following Setup switches:

• -y: Perform uninstall (only with -m or -q).
• -f: Force programs to be closed at shutdown.
• -n: Do not create an Uninstall folder.
• -z: Do not restart when update completes.
• -q: Quiet or Unattended mode with no user interface (this switch is a superset of -m).
• -m: Unattended mode with user interface.
• -l: List installed hotfixes.
• -x: Extracts the files without running Setup.

For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line: WARNING: Your computer is vulnerable until you restart it.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Millennium Edition, Windows 98 Second Edition, and Windows 98

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please visit the following Microsoft Web site:NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following files are available for download from the Microsoft Download Center:

Windows Millennium Edition: Windows 98 and Windows 98 Second Edition: Release Date: August 28, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP (All Versions)

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows XP Service Pack 1.

Windows 2000 (All Versions)

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft Windows 2000 Service Pack 4.

Windows NT 4.0 (All Versions)

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

Windows Millennium Edition, Windows 98 Second Edition, and Windows 98

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

Client Information

After you apply this update to a client computer, the client cannot enroll with a Web server for which the update has not been applied. If you are using this client, you may experience Web pages that stop responding, you may receive error messages that state the ActiveX Control could not be downloaded, or enrollment may not be successful.

When a client computer for which the updated control has not been applied tries to enroll with a Web server that has been updated, the Web server downloads the updated control to the client computer.

IMPORTANT: Even if a Web site has been updated and client enrollment is successful, you must update the client computer to remove this vulnerability. Netscape browsers do not use the Certificate Enrollment control when enrolling with a Microsoft Windows Certificate Server; however, the client computers must be updated to remove this vulnerability.

Server Information

If you operate a Web site that uses the Certificate Enrollment control, you must make minor revisions to your Web programs to use the new control. Both Windows NT 4.0-based servers and Windows 2000-based servers that host Certificate Services Web enrollment pages must be updated with the new Certificate Enrollment control and the Smartcard Enrollment control. If a Windows certification authority (CA) also has Web enrollment services installed on separate Internet Information Services (IIS)-based servers, you must also apply the server update to those Web sites. Third-party Web sites that use either of these controls must also update any Web pages that use these controls. The Web site must refer to the new class identifier (ID) and version of Xenroll.dll and Scrdenrl.dll:

• Old Xenroll.dll information:
  Class ID: {43F8F289-7A20-11D0-8F06-00C04FC295E1}
• New Xenroll.dll information:
  Class ID: {127698e4-e730-4e5c-a2b1-21490a70c8a1}
  sXEnrollVersion="5,131,3659,0"
• Old Scrdenrl.dll information:
  Class ID: {80CB7887-20DE-11D2-8D5C-00C04FC29D45}
• New Scrdenrl.dll information:
  Class ID: {c2bbea20-1f2b-492f-8a06-b1c5ffeace3b}
  sScrdEnrlVersion="5,131,2195,5938"

The Windows 2000 update will automatically update the Windows 2000 CA Web enrollment pages to use the new controls for Windows client enrollment. Third-party CAs must provide appropriate patches or update Web pages appropriately to use the new Xenroll.dll control class ID.

The Smartcard Enrollment control is only used with Windows 2000 CAs. This control does not apply to Windows NT 4.0, Windows 98, Windows 98 Second Edition, or Windows Millennium Edition. The following Web pages are updated on a Windows 2000 CA: To manually patch a Windows NT 4.0-based server that has Certificate Services installed, follow these steps:

1. Type the following command at a command prompt to manually extract the updated files to a temporary folder:
   q323172i /x
2. Replace the Windows_folder\System32\Certsrv\Certcontrol\Xenroll.cab file with the new version that you extracted in step 1.
3. Install the update as you typically would by running Q323172i.exe, and then restart the computer when you are prompted.
4. Update the following Active Server Pages (ASP) pages to include the new Xenroll class ID (CLSID) and proper version information:
   
   
   • Windows_folder\System32\Certsrv\CertEnroll\Ceaccept.asp
   • Windows_folder\System32\Certsrv\\CertEnroll\Ceenroll.asp
   
   
   To do so:
   • In each Web page, change the old CLSID from:
     classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1"
     
     to:
     
     classid="clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1"
   • In each Web page, change the version number from:
     CODEBASE="/CertControl/xenroll.cab#Version=5,131,2090,1"
     
     to:
     
     CODEBASE="/CertControl/xenroll.cab#Version=5,131,3659,0"
   NOTE: If the web page does not reference the Xenroll CLSID or version-dependent ProgID directly, then it does not need to be updated. The fix which works for both old and new Xenroll is to use CreateObject with a version-independent ProgID.
   
   
5. Verify that %SystemRoot%\WINNT\System32\CertSrv\CertControl\x86\Xenroll.dll has been replaced with the new version.
6. Edit the Browscap.ini file in the %SystemRoot%\System32\Inetsrv folder to allow Internet Explorer 6.0 version browsers.

When a Web page has been successfully updated, if you are using a client that has not been updated, you receive the following message that indicates that the updated control is being downloaded and registered in the Internet Explorer browser: You can use Windows 2000-based and Windows XP-based client computers in conjunction with the Web enrollment services pages on IIS and a Windows 2000 CA to enroll smartcards on behalf of other users. The Smartcard Enrollment station works through Internet Explorer on the client computer and IIS on the server that is hosting the CA Web enrollment pages (this is an optional component during CA installation). The new version of the Smartcard Enrollment control on an updated Web site is not marked "safe for scripting." You must manually configure the Internet Explorer browser to add the Web server computer that is hosting the Web enrollment pages to the list of trusted sites in the Security tab of the Internet Explorer options. If you do not do so, the Smartcard Enrollment control will not be downloaded and it cannot be used. After the Web server has been added to the list of trusted sites, the Smartcard Enrollment pages still display the following warning (this message appears by design): Click Yes to continue using the Smartcard Enrollment station Web pages.

If the Web server is not listed in the trusted sites in Internet Explorer, you receive the following error message: For additional information about possible problems installing Certificate Services after you apply this update, click the article number below to view the article in the Microsoft Knowledge Base: For more information about this vulnerability, visit the following Microsoft Web site: For additional information about Windows Millennium Edition hotfixes, click the article number below to view the article in the Microsoft Knowledge Base: For additional information about Windows 98 and Windows 98 Second Edition hotfixes, click the article number below to view the article in the Microsoft Knowledge Base: