CVE-2002-0862

Severity

75%

Complexity

99%

Confidentiality

106%

The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.

The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.

CVSS 2.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P).

Overview

Type

Microsoft

First reported 22 years ago

2002-10-04 04:00:00

Last updated 5 years ago

2019-04-30 14:27:00

Affected Software

Microsoft Internet Explorer 5.0

5.0

Microsoft Internet Explorer 5.0.1

5.0.1

Microsoft Internet Explorer 5.0.1 SP1

5.0.1

Microsoft Internet Explorer 5.0.1 SP2

5.0.1

Microsoft ie 5.5

5.5

Microsoft Internet Explorer 5.5 SP1

5.5

Microsoft Internet Explorer 5.5 SP2

5.5

Microsoft Internet Explorer 6.0

6.0

Microsoft Internet Explorer Macintosh 5.0

5.0

Microsoft Internet Explorer Macintosh 5.1

5.1

Microsoft Internet Explorer Macintosh 5.1.1

5.1.1

Microsoft IIS 5.0

5.0

Microsoft office_macos 2001 sr1

2001

Microsoft outlook_express 5.0

5.0

Microsoft Windows 2000

Microsoft windows 2000_sp1

Microsoft windows 2000_sp2

Microsoft windows 2000_sp3

Microsoft Windows 2000 Terminal Services

Microsoft Windows 2000 Terminal Services Service Pack 1

Microsoft Windows 2000 Terminal Services Service Pack 2

Microsoft Windows 2000 Terminal Services Service Pack 3

Microsoft windows 98_gold

Microsoft windows 98_se

Microsoft Windows ME

Microsoft Windows NT 4.0

4.0

Microsoft Windows 4.0 sp1

4.0

Microsoft Windows NT Terminal Server 4.0 SP1

4.0

Microsoft Windows 4.0 sp2

4.0

Microsoft Windows NT Terminal Server 4.0 SP2

4.0

Microsoft Windows 4.0 sp3

4.0

Microsoft Windows NT Terminal Server 4.0 SP3

4.0

Microsoft Windows 4.0 sp4

4.0

Microsoft Windows NT Terminal Server 4.0 SP4

4.0

Microsoft Windows 4.0 sp5

4.0

Microsoft Windows NT Terminal Server 4.0 SP5

4.0

Microsoft Windows 4.0 sp6

4.0

Microsoft Windows NT Terminal Server 4.0 SP6

4.0

Microsoft Windows 4.0 sp6a

4.0

Microsoft Windows NT Terminal Server 4.0 SP6a

4.0

Microsoft windows xp_gold

Microsoft Windows XP Professional Gold

References

20020805 IE SSL Vulnerability

20020812 IE SSL Exploit

20020819 Insufficient Verification of Client Certificates in IIS 5.0 pre sp3

MS02-050

ssl-ca-certificate-spoofing(9776)

oval:org.mitre.oval:def:1056

oval:org.mitre.oval:def:1332

oval:org.mitre.oval:def:2671

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.