Back to customer support
- Microsoft Security Bulletin MS02-048 - Internet Explorer Vulnerability
- Microsoft Security Bulletin MS02-050 - Critical Update for Windows - SSL Vulnerability
When using digital certificates in browsers and third party applications the manufactures provide appropriate information for their own products.
Information on Netscape products, this can be found at:
Netscape Support Site
Netscape Communicator FAQs
Information on Microsoft products, this can be found at:
Microsoft Support Knowledge Base
FAQs and Highlights for the Internet Explorer
Outlook Express
Outlook 2000
Outlook 98
Outlook 97
It is important that the latest supported Browsers and Operating Systems are used as these are supported by the manufacturers when they issue software enhancements.
For a list of supported Microsoft products, please visit their product Life Cycle pages.
- Microsoft Security Bulletin MS02-048
On 28 August Microsoft published a security bulletin and critical update regarding Windows ActiveX controls used by Microsoft Internet Explorer browsers. This bulletin concerns all users of Microsoft Internet Explorer and digital certificates.
The notice can be found here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-048.asp
As a result of Microsoft discovering and then subsequently patching the security vulnerability in their Active X control, named xenroll.dll, VeriSign no longer supports IE browsers earlier than IE v5.0. Specifically, this is because the new version of the Active X control named xenroll.dll, relies on technology that is not available in versions of Internet Explorer prior to Version 5.
BT Ignite Trust Services Managed PKI customers are advised to read the e-mail sent to their Administrators on 29 August by the Trust Services Customer Helpdesk for further information on this Microsoft issue. This e-mail also contains FAQ's and details actions that our customers should take in response to the Microsoft critical update.
The resolution is to immediately upgrade your IE browser to version 5.0 or above (obtainable from http://www.microsoft.com/downloads/searchdl.asp? ) or load an alternative VeriSign supported browser.
FAQ's and further information regarding this issue affecting Microsoft Internet Explorer have also been posted in the Managed PKI Control Centre for use by Administrators.
Trust Services Customer Helpdesk
- Microsoft Security Bulletin MS02-050 - Critical Update for Windows - SSL Vulnerability
A security flaw has been discovered in Microsoft's Internet Explorer (IE) that could enable SSL certificates that are not signed by a trusted third party, or Certificate Authority (CA), to appear trusted in a normal communication. It is theoretically possible for the holder of a valid Web server certificate to "manufacture" another Web server certificate in such a way that Internet Explorer would not alert a consumer that they are connecting via SSL to a possibly fraudulent Web site. This flaw could affect certificates from any CA and, as such, is not specific to any certificate vendor.
In addition, a newly discovered vulnerability was announced on November 20, 2002 by Microsoft. This is closely related to the vulnerability that was discussed in the original version of the bulletin. Like that vulnerability, the new vulnerability involves a flaw in the way in which certificate validation is performed. Microsoft strongly recommends that customers install the new patch, even if they installed the original version of the patch, as the fix for this new vulnerability was not included in the original version of the patch.
Microsoft has now published a Critical Update for Windows. It can be found at the following URL:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-050.asp
which will also explain in greater technical detail the problem found.
Trust Services Customer Helpdesk
| 
