RESOLUTION

Microsoft has released an update that prevents the flawed control from being called from Web pages and installs new versions of the control. The client update includes a registry change that turns off the earlier version of the control and installs the new version of the control. Because a common version of the Certificate Enrollment control must be provided to all supported clients, a dependency on CryptoAPI is created. The new Certificate Enrollment control is dependent on the functionality that is only available with Microsoft Internet Explorer 5.0 or later. Therefore, this update is not installed on computers that are not running Internet Explorer 5 or later. If you are not using Internet Explorer 5 or later, you receive the following error message:

This update is not designed for your version of Internet Explorer. Press OK to exit.

NOTE: If you add or remove components from your computer, you must reapply this update.

For more information about how to resolve this vulnerability, click any of the following links to review the section that applies to your operating system.

Windows XP (All Versions)

To resolve this problem, obtain the latest service pack for Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to Obtain the Latest Windows XP Service Pack

Windows XP Pre-SP1 Download Information

If you have not applied Windows XP Service Pack 1 (SP1) or later, apply the appropriate patch to resolve this problem. The following files are available for download from the Microsoft Download Center:

Windows XP Professional and Windows XP Home:

Windows XP 64-Bit Edition:

English (US): Download the Q323172 package now

French: Download the Q323172 package now

German: Download the Q323172 package now

Japanese: Download the Q323172 package now

Release Date: August 28, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information

Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.

To apply this update on a Windows XP-based client, the user who is logged on must be a member of the local Power Users group or the Administrators group.

You must restart your computer after you apply this update. This update supports the following Setup switches:

-?: Display the list of installation switches.
-u: Unattended mode.
-f: Force other programs to quit when the computer shuts down.
-n: Do not back up files for uninstallation.
-o: Overwrite OEM files without prompting.
-z: Do not restart when installation is complete.
-q: Quiet mode (no user interaction).
-l: List installed hotfixes.
-x Extracts the files without running Setup.

For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:

filename -u -q -z

WARNING: Your computer is vulnerable until you restart it.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (also known as Universal Time Coordinate [UTC]). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

   Date         Version       Size     File name
   ------------------------------------------------
   09-Jul-2002  5.131.3659.0  172,664  Xenroll.dll

back to the top

Windows 2000 (All Versions)

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Windows 2000 service pack that contains this fix.

To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following file is available for download from the Microsoft Download Center:

All Languages: Download the Q323172 package now

Release Date: August 28, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.

To apply this update on a Windows 2000-based client, the user who is logged on must be a member of the local Power Users group or the Administrators group.

Downloads of the Certificate Enrollment control (Xenroll.dll) to Alpha-based client computers from Windows 2000 that has certificate services installed is no longer supported.

You must restart your computer after you apply this update. This update supports the following Setup switches:

-?: Display the list of installation switches.
-u: Unattended mode.
-f: Force other programs to quit when the computer shuts down.
-n: Do not back up files for uninstallation.
-o: Overwrite OEM files without prompting.
-z: Do not restart when installation is complete.
-q: Quiet mode (no user interaction).
-l: List installed hotfixes.
-x: Extracts the files without running Setup.

For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:

filename -u -q -z

WARNING: Your computer is vulnerable until you restart it.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

   Date         Version          Size     File name
   ---------------------------------------------------
   09-Jul-2002  5.131.3659.0     172,664  Xenroll.dll
   05-Aug-2002  5.131.2195.5938   48,568  Scrdenrl.dll

back to the top

Windows NT 4.0 (All Versions)

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following files are available for download from the Microsoft Download Center:

Windows NT 4.0:

All Languages: Download the Q323172 package now

Windows NT Server 4.0, Terminal Server Edition:

All Languages: Download the Q323172 package now

Release Date: August 28, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.

To apply this update on a Windows NT 4.0 client, the user who is logged on must be a member of the local Power Users group or the Administrators group.

Downloads of the Certificate Enrollment control (Xenroll.dll) to Alpha-based client computers from Windows NT 4.0 Server that has certificate services installed is no longer supported.

You must restart your computer after you apply this update. This update supports the following Setup switches:

-y: Perform uninstall (only with -m or -q).
-f: Force programs to be closed at shutdown.
-n: Do not create an Uninstall folder.
-z: Do not restart when update completes.
-q: Quiet or Unattended mode with no user interface (this switch is a superset of -m).
-m: Unattended mode with user interface.
-l: List installed hotfixes.
-x: Extracts the files without running Setup.

For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:

filename -q -z

WARNING: Your computer is vulnerable until you restart it.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

   Date         Version       Size     File name
   ------------------------------------------------
   09-Jul-2002  5.131.3659.0  172,664  Xenroll.dll

back to the top

Windows Millennium Edition, Windows 98 Second Edition, and Windows 98

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Download Information

The following files are available for download from the Microsoft Download Center:

Windows Millennium Edition:

Windows 98 and Windows 98 Second Edition:

All Languages: Download the Q323172 package now

Release Date: August 28, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

   Date         Version       Size     File name
   ------------------------------------------------
   09-Jul-2002  5.131.3659.0  172,664  Xenroll.dll

back to the top

MORE INFORMATION

Client Information

After you apply this update to a client computer, the client cannot enroll with a Web server for which the update has not been applied. If you are using this client, you may experience Web pages that stop responding, you may receive error messages that state the ActiveX Control could not be downloaded, or enrollment may not be successful.

When a client computer for which the updated control has not been applied tries to enroll with a Web server that has been updated, the Web server downloads the updated control to the client computer.

IMPORTANT: Even if a Web site has been updated and client enrollment is successful, you must update the client computer to remove this vulnerability. Netscape browsers do not use the Certificate Enrollment control when enrolling with a Microsoft Windows Certificate Server; however, the client computers must be updated to remove this vulnerability.

Server Information

If you operate a Web site that uses the Certificate Enrollment control, you must make minor revisions to your Web programs to use the new control. Both Windows NT 4.0-based servers and Windows 2000-based servers that host Certificate Services Web enrollment pages must be updated with the new Certificate Enrollment control and the Smartcard Enrollment control. If a Windows certification authority (CA) also has Web enrollment services installed on separate Internet Information Services (IIS)-based servers, you must also apply the server update to those Web sites. Third-party Web sites that use either of these controls must also update any Web pages that use these controls. The Web site must refer to the new class identifier (ID) and version of Xenroll.dll and Scrdenrl.dll:

Old Xenroll.dll information:
Class ID: {43F8F289-7A20-11D0-8F06-00C04FC295E1}
New Xenroll.dll information:
Class ID: {127698e4-e730-4e5c-a2b1-21490a70c8a1}
sXEnrollVersion="5,131,3659,0"
Old Scrdenrl.dll information:
Class ID: {80CB7887-20DE-11D2-8D5C-00C04FC29D45}
New Scrdenrl.dll information:
Class ID: {c2bbea20-1f2b-492f-8a06-b1c5ffeace3b}
sScrdEnrlVersion="5,131,2195,5938"

The Windows 2000 update will automatically update the Windows 2000 CA Web enrollment pages to use the new controls for Windows client enrollment. Third-party CAs must provide appropriate patches or update Web pages appropriately to use the new Xenroll.dll control class ID.

The Smartcard Enrollment control is only used with Windows 2000 CAs. This control does not apply to Windows NT 4.0, Windows 98, Windows 98 Second Edition, or Windows Millennium Edition. The following Web pages are updated on a Windows 2000 CA:

Certdat.inc
Certsgcl.inc
Certsces.asp

To manually patch a Windows NT 4.0-based server that has Certificate Services installed, follow these steps:

Type the following command at a command prompt to manually extract the updated files to a temporary folder:
q323172i /x
Replace the Windows_folder\System32\Certsrv\Certcontrol\Xenroll.cab file with the new version that you extracted in step 1.
Install the update as you typically would by running Q323172i.exe, and then restart the computer when you are prompted.
Update the following Active Server Pages (ASP) pages to include the new Xenroll class ID (CLSID) and proper version information:
- Windows_folder\System32\Certsrv\CertEnroll\Ceaccept.asp
- Windows_folder\System32\Certsrv\\CertEnroll\Ceenroll.asp
To do so:
- In each Web page, change the old CLSID from:
  classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1"
  
  to:
  
  classid="clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1"
- In each Web page, change the version number from:
  CODEBASE="/CertControl/xenroll.cab#Version=5,131,2090,1"
  
  to:
  
  CODEBASE="/CertControl/xenroll.cab#Version=5,131,3659,0"
NOTE: If the web page does not reference the Xenroll CLSID or version-dependent ProgID directly, then it does not need to be updated. The fix which works for both old and new Xenroll is to use CreateObject with a version-independent ProgID.
Verify that %SystemRoot%\WINNT\System32\CertSrv\CertControl\x86\Xenroll.dll has been replaced with the new version.
Edit the Browscap.ini file in the %SystemRoot%\System32\Inetsrv folder to allow Internet Explorer 6.0 version browsers.

When a Web page has been successfully updated, if you are using a client that has not been updated, you receive the following message that indicates that the updated control is being downloaded and registered in the Internet Explorer browser:

Downloading ActiveX Control

You can use Windows 2000-based and Windows XP-based client computers in conjunction with the Web enrollment services pages on IIS and a Windows 2000 CA to enroll smartcards on behalf of other users. The Smartcard Enrollment station works through Internet Explorer on the client computer and IIS on the server that is hosting the CA Web enrollment pages (this is an optional component during CA installation). The new version of the Smartcard Enrollment control on an updated Web site is not marked "safe for scripting." You must manually configure the Internet Explorer browser to add the Web server computer that is hosting the Web enrollment pages to the list of trusted sites in the Security tab of the Internet Explorer options. If you do not do so, the Smartcard Enrollment control will not be downloaded and it cannot be used. After the Web server has been added to the list of trusted sites, the Smartcard Enrollment pages still display the following warning (this message appears by design):

An Active control on this page might be unsafe to interact with other parts of the page. Do you want to allow this interaction yes/no?

Click Yes to continue using the Smartcard Enrollment station Web pages.

If the Web server is not listed in the trusted sites in Internet Explorer, you receive the following error message:

The proper version of the ActiveX Control failed to download and install. You may not have sufficient permissions. Please ask your system administrator for assistance.

For additional information about possible problems installing Certificate Services after you apply this update, click the article number below to view the article in the Microsoft Knowledge Base:

328595 Problems Installing Certificate Services After you Apply the Q323172 Patch

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-048.asp

For additional information about Windows Millennium Edition hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:

295413 General Information About Windows Millennium Edition Hotfixes

For additional information about Windows 98 and Windows 98 Second Edition hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:

206071 General Information on Windows 98 and SE Hotfixes

Last Reviewed:	4/21/2003
Keywords:	kbbug kbfix KbSECBulletin kbSecurity KbSECVulnerability kbWin2000preSP4Fix kbWinXPsp1fix KB323172

MS02-048: Flaw in Certificate Enrollment Control May Cause Digital Certificates to Be Deleted

SYMPTOMS

Mitigating Factors

RESOLUTION

Windows XP (All Versions)

Windows XP Pre-SP1 Download Information

Installation Information

File Information

Windows 2000 (All Versions)

Download Information

Installation Information

File Information

Windows NT 4.0 (All Versions)

Download Information

Installation Information

File Information

Windows Millennium Edition, Windows 98 Second Edition, and Windows 98

Download Information

Installation Information

File Information

STATUS

MORE INFORMATION

Client Information

Server Information