September 6, 2002 — (WEB HOST INDUSTRY REVIEW) — A “critical” security alert issued by Microsft this week identified a flaw in the Windows operating system that could allow hackers to gain unauthorized access to computers.
Affecting the way more than a dozen Microsoft products handle digital certificates used to authenticate Web sites and code, the flaw could let a Web site with a valid certificate issue a second, invalid on, allowing it access to computers and theft of user passwords or credit card numbers.
While experts doubt the flaw has been exploited yet, they say its implications could be large, because it affects CryptoAPI, one of Windows? key security authentication mechanisms. The flaw, if exploited, has the potential to shake consumers? confidence in Web-based transactions.
Microsoft?s bulletin warned that CryptoAPI does not properly validate a particular portion of a digital certificate. The company strongly urged consumers and businesses to install the patches posted on its Web site in order to correct the flaw, but the Windows 2000 operating system had yet to be patched.
Patches were initially made available for Windows NT 4, NT 4 Terminal Server, XP and XP 64-bit Edition, with additional patches for Windows 98, 98 Second Edition and Windows Me released later Thursday. A number of Microsoft Macintosh programs are also affected by the flaw, with patches expected soon for those products. The problem was labeled moderate, rather than critical, for the Macintosh products. The company says it is working round the clock to develop patches for additional systems.
