Microsoft is warning Mac users of Office, Outlook Express and Internet Explorer of a critical certificate validation flaw that opens the doors to identity spoofing. The flaw also affects all shipping Microsoft operating systems.
The company is responding to the flaw because "exploit code" that takes advantage of it is already available. However, the company explains that because of the way Mac OS is built, every application must implement its own cryptography – separate patches must be released for each app.
Reporting the flaw, Microsoft explains: "The vulnerability could enable an attacker who had a valid end-entity certificate to issue a subordinate certificate that, although bogus, would nevertheless pass validation. This could enable a variety of identity-spoofing attacks."
Fake At issue is the way definitions are made of the various fields in a digital certificate. One indicates the maximum length of the certificate's chain and what level of certificate it is. However, CryptoAPI, which checks such things does not check the Basic Constraints field. CryptoAPI is not used in any Microsoft Mac products.
"The same flaw, unrelated to CryptoAPI, is also present in several Microsoft products for Macintosh," the company reveals, without explaining what the flaw is related to.
Microsoft down-plays the severity of the scenario for Mac users, explaining: "The severity for the Mac products is lower since they use certificates only for Secure Sockets Layer (SSL)." Some Mac users may question this, as SSL is by far the main digital certification system used in online payments.
The company agrees that identity spoofing could occur as a result of the vulnerability. An attacker could set up a Web site purporting to be a trusted e-commerce site, creating a bogus SSL server certificate to boost the claim. Unsuspecting users could then be convinced to send such sensitive data as their credit card number.
A number of other problems also exist: these are listed in Microsoft's Security Bulletin MS02-050, which is available online.
The company will release a separate patch for each affected Mac product.