TUCoPS :: Security App Flaws :: capi3.htm

Win2000 CryptoAPI security hotfixes missing 
Vulnerability

    CryptoAPI

Affected

    Win2000

Description

    Filip Schepers (ISS Brussels) found following.  He was  performing
    a lock-down of a Windows 2000 Advanced Server with Service Pack  1
    preinstalled, when he found out that the pre-SP1 hotfix,  MS00-032
    (Windows 2000 protected store vulnerability, KB article  Q260219),
    appeared not to have been installed (psbase.dll <  5.0.2195.2096),
    even though Microsoft  states this hotfix  is included in  Windows
    2000 Service pack 1.

    On the Technet Security website, Microsoft say the following about
    this hotfix:  "The patch  can be  applied atop  Windows 2000 Gold,
    and will  be included  in Windows  2000 Service  Pack 1.  However,
    regardless of  how the  patch is  applied, keymigrt  still must be
    run  one  time,  to  re-encrypt  all  its already in the Protected
    Store." (sic)

    Microsoft also states in KB  article Q269428 that this hotfix  was
    included in sevice pack 1 :

        http://support.microsoft.com/support/kb/articles/Q269/4/28.ASP

    Original issue can be found at:

        http://oliver.efri.hr/~crv/security/bugs/NT/capi2.html

    After looking at the "offending" psbase.dll in the pre-SP1  hotfix
    and SP1, it shows that the dll that comes with the pre-SP1  hotfix
    is _newer_ than the dll that  comes with the service pack.   Also,
    the bulletin mentions that people should run the keymigrt  utility
    that  comes  with  the  hotfix  to  upgrade  protection of already
    installed key  material to  strong crypto.   This utility  is  not
    installed with the service pack.

    Also, it is not  possible to install a  pre-SP1 hotfix over a  SP1
    system (at least not by simply running the hotfix executable).

    Filip  investigated  2  SP1  systems:  1 Windows 2000 Professional
    with the strong SP1 applied directly, and a Windows 2000  Advanced
    Server with  weak SP1  applied that  was upgraded  to strong using
    the strong crypto pack.   Filip hasn't been able  to check a  weak
    SP1 only system,  and don't know  what happens if  you would apply
    the hotfix to a vanilla W2K, and then upgrade it to SP1.

Solution

    Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH