CVE-2002-0862

Microsoft Windows 2000 - Improper Certificate Validation

Title source: rule

Description

The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.

Exploits (1)

exploitdb WRITEUP

remotewindows

https://www.exploit-db.com/exploits/21692

View Code ZIP pw:eip

References (8)

[Mailing List] http://marc.info/?l=bugtraq&m=102866120821995&w=2

[Mailing List] http://marc.info/?l=bugtraq&m=102918200405308&w=2

[Mailing List] http://marc.info/?l=bugtraq&m=102976967730450&w=2

[Patch, Vendor Advisory] https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-050

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/9776

[Broken Link] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1056

[Broken Link] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1332

[Broken Link] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2671

Scores

EPSS 0.1734

EPSS Percentile 95.1%

Details

CWE

CWE-295

Status published

Products (9)

microsoft/internet_explorer

microsoft/office

microsoft/outlook_express

microsoft/windows_2000

microsoft/windows_98

microsoft/windows_98se

microsoft/windows_me

microsoft/windows_nt 4.0 (2 CPE variants)

microsoft/windows_xp

Published Oct 04, 2002

Tracked Since Feb 18, 2026