First published: Tue Sep 10 2002(Updated: )
The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Microsoft Windows 2000 | ||
Microsoft Windows 9x | ||
Microsoft Windows 98 | ||
Microsoft Windows | ||
Microsoft Windows NT | =4.0 | |
Microsoft Windows NT | =4.0 | |
Microsoft Windows XP | ||
All of | ||
Any of | ||
Internet Explorer | ||
Microsoft Office | ||
Microsoft Outlook Express | ||
macOS | ||
tinyssl | =1.0.2 | |
Konqueror | =2.2.2 | |
Konqueror | =3.0 | |
Konqueror | =3.0.1 | |
Konqueror | =3.0.2 | |
Microsoft Internet Explorer for Mac | =5.0 | |
Microsoft Internet Explorer for Mac | =5.1 | |
Microsoft Internet Explorer for Mac | =5.1.1 | |
Internet Explorer | =5.0 | |
Internet Explorer | =5.0.1 | |
Internet Explorer | =5.0.1-sp1 | |
Internet Explorer | =5.0.1-sp2 | |
Internet Explorer | =5.5 | |
Internet Explorer | =5.5-sp1 | |
Internet Explorer | =5.5-sp2 | |
Internet Explorer | =6.0 | |
Microsoft Internet Information Services (IIS) | =5.0 | |
Microsoft Office | =98 | |
Microsoft Office | =2001 | |
Microsoft Office | =2001-sr1 | |
Microsoft Office | =v.x | |
Microsoft Outlook Express | =4.5 | |
Microsoft Outlook Express | =5.0 | |
Microsoft Outlook Express | =5.0 | |
Microsoft Outlook Express | =5.0.1 | |
Microsoft Outlook Express | =5.0.2 | |
Microsoft Outlook Express | =5.0.3 | |
Baltimore Technologies MailSecure | ||
KDE Kde Beta 3 | =2.2.1 | |
KDE Kde Beta 3 | =2.2.2 | |
KDE Kde Beta 3 | =3.0 | |
KDE Kde Beta 3 | =3.0.1 | |
KDE Kde Beta 3 | =3.0.2 | |
Microsoft Windows 2000 | ||
Microsoft Windows 2000 | =sp1 | |
Microsoft Windows 2000 | =sp2 | |
Microsoft Windows 2000 | =sp3 | |
Microsoft Windows Terminal Services | ||
Microsoft Windows Terminal Services | =sp1 | |
Microsoft Windows Terminal Services | =sp2 | |
Microsoft Windows Terminal Services | =sp3 | |
Microsoft Windows 9x | =gold | |
Microsoft Windows 98 | ||
Microsoft Windows | ||
Microsoft Windows NT | =4.0 | |
Microsoft Windows NT | =4.0 | |
Microsoft Windows NT | =4.0 | |
Microsoft Windows NT | =4.0-sp1 | |
Microsoft Windows NT | =4.0-sp1 | |
Microsoft Windows NT | =4.0-sp1 | |
Microsoft Windows NT | =4.0-sp2 | |
Microsoft Windows NT | =4.0-sp2 | |
Microsoft Windows NT | =4.0-sp2 | |
Microsoft Windows NT | =4.0-sp3 | |
Microsoft Windows NT | =4.0-sp3 | |
Microsoft Windows NT | =4.0-sp3 | |
Microsoft Windows NT | =4.0-sp4 | |
Microsoft Windows NT | =4.0-sp4 | |
Microsoft Windows NT | =4.0-sp4 | |
Microsoft Windows NT | =4.0-sp5 | |
Microsoft Windows NT | =4.0-sp5 | |
Microsoft Windows NT | =4.0-sp5 | |
Microsoft Windows NT | =4.0-sp6 | |
Microsoft Windows NT | =4.0-sp6 | |
Microsoft Windows NT | =4.0-sp6 | |
Microsoft Windows NT | =4.0-sp6a | |
Microsoft Windows NT | =4.0-sp6a | |
Microsoft Windows NT | =4.0-sp6a | |
Microsoft Windows XP | ||
Microsoft Windows XP | ||
Microsoft Windows XP | =gold | |
Microsoft Windows XP | =gold |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2002-0862 has a high severity rating as it affects the verification process of certificate chains in various Microsoft products.
To fix CVE-2002-0862, users should apply the latest security patches provided by Microsoft for their affected software.
CVE-2002-0862 affects several Microsoft products including Windows 98, Windows 2000, Windows XP, and Microsoft Office applications.
CVE-2002-0862 is a certificate validation vulnerability that can allow an attacker to use a forged certificate.
Yes, CVE-2002-0862 can be exploited remotely, making it a critical risk for users running the affected software.