Microsoft Puts Out Patch for Windows Flaw
Microsoft Corp. on Thursday released a patch for the Windows flaw discovered last month that allows an attacker to generate and sign fake certificates for third-party Web sites.

The flaw affects all versions of Windows back to 95, Office for Mac, Internet Explorer for Mac and Outlook Express for Mac.


http://www.eweek.com/article2/0,3959,518168,00.aspThe vulnerability is actually in the Windows CryptoAPI, which constructs and validates certificate chains. It manifests itself in the way that Internet Explorer handles digital certificates used in Secure Socket Layer (SSL) connections to remote Web servers. Such certificates are typically issued and signed by certificate authorities (CAs) such as VeriSign Inc., and list the URL of the Web site to which they are issued.

But, IE doesn't check the Basic Constraints field on the certificate, which shows the maximum allowable length of the certificate chain as well as whether the certificate is a certificate authority or an end-entity certificate. As a result, a malicious Web site operator could generate and sign a bogus certificate for another site and collect credit card data and other information from any users lured to the site.