Microsoft said on Wednesday that a critical flaw in most versions of the company's Windows operating system could allow malicious attackers to corrupt the digital certificates that PCs use to connect to network services.
The vulnerability can be exploited via a special coded ActiveX inserted into hypertext markup language (HTML), the lingua franca of the Web. To fall victim to attack, a PC user would have to browse a Web site, or open an HTML email, specifically set up to take advantage of the vulnerability.
"(The flaw) could enable a Web page, through an extremely complex process, to invoke the (ActiveX) control in a way that would delete certificates on a user's system," Microsoft warned in an advisory released late on Wednesday.
Such digital certificates are used to hold encryption keys used in email, the encrypted files system (ESS) that is shipped with certain versions of Windows, and in the Secure Sockets Layer communications protocol used by many e-commerce Web sites. ESS is shipped in Windows 2000 and Windows XP Professional. While the flaw doesn't allow a malicious vandal to steal the certificates, it does allow the attacker to corrupt the data, rendering it useless to the PC's owner.
Depending on the certificates corrupted, the act would prevent the victim from encrypting and decrypting email, encrypting files and complicate the use of secure Web sites, Microsoft advised. The flaw occurs in the Certificate Enrollment ActiveX Control.
Microsoft suggests that all users of Windows Windows 98, Windows 98 Second Edition, Windows Millennium, Windows NT 4.0, Windows 2000 and Windows XP patch their system immediately.
The latest advisory brings the number of such warnings by the software giant to 48 for the year.
