RESOLUTION
Microsoft has released an update that prevents the flawed control from being called from Web pages and installs new versions of the control. The client update includes a registry change that turns off the earlier version of the control and installs the new version of the control. Because a common version of the Certificate Enrollment control must be provided to all supported clients, a dependency on
CryptoAPI is created. The new Certificate Enrollment control is dependent on the functionality that is only available with Microsoft Internet Explorer 5.0 or later. Therefore, this update is not installed on computers that are not running Internet Explorer 5 or later. If you are not using Internet Explorer 5 or later, you receive the following error message:
This update is not designed for your version of Internet Explorer. Press OK to exit.
NOTE: If you add or remove components from your computer, you must reapply this update.
For more information about how to resolve this vulnerability, click any of the following links to review the section that applies to your operating system.
Windows XP (All Versions)
To resolve this problem, obtain the latest service pack for Windows XP. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
322389 How to Obtain the Latest Windows XP Service Pack
Windows XP Pre-SP1 Download Information
If you have not applied Windows XP Service Pack 1 (SP1) or later, apply the appropriate patch to resolve this problem. The following files are available for download from the Microsoft
Download Center:
Windows XP Professional and Windows XP Home:
Windows XP 64-Bit Edition:
Release Date: August 28, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Installation Information
Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.
To apply this update on a Windows XP-based client, the user who is logged on must be a member of the local Power Users group or the Administrators group.
You must restart your computer after you apply this update. This update supports the following Setup switches:
- -?: Display the list of installation switches.
- -u: Unattended mode.
- -f: Force other programs to quit when the computer shuts down.
- -n: Do not back up files for uninstallation.
- -o: Overwrite OEM files without prompting.
- -z: Do not restart when installation is complete.
- -q: Quiet mode (no user interaction).
- -l: List installed hotfixes.
- -x Extracts the files without running Setup.
For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:
WARNING: Your computer is vulnerable until you restart it.
File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (also known as Universal Time Coordinate [UTC]). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the
Time Zone tab in the Date and Time tool in Control Panel.
Date Version Size File name
------------------------------------------------
09-Jul-2002 5.131.3659.0 172,664 Xenroll.dll
back to the top
Windows 2000 (All Versions) Service Pack Information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
Windows 2000 (All Versions) Hotfix Information
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated
Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Windows 2000 service pack that contains this fix.
To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
Download Information
The following file is available for download from the Microsoft Download Center:
Release Date: August 28, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.
Installation Information
Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.
To apply this update on a Windows 2000-based client, the user who is logged on must be a member of the local Power Users group or the Administrators group.
Downloads of the Certificate Enrollment control (Xenroll.dll) to Alpha-based client computers from Windows 2000 that has certificate services installed is no longer supported.
You must restart your computer after you apply this update. This update supports the following Setup switches:
- -?: Display the list of installation switches.
- -u: Unattended mode.
- -f: Force other programs to quit when the computer shuts down.
- -n: Do not back up files for uninstallation.
- -o: Overwrite OEM files without prompting.
- -z: Do not restart when installation is complete.
- -q: Quiet mode (no user interaction).
- -l: List installed hotfixes.
- -x: Extracts the files without running Setup.
For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:
WARNING: Your computer is vulnerable until you restart it.
File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the
Time Zone tab in the Date and Time tool in Control Panel.
Date Version Size File name
---------------------------------------------------
09-Jul-2002 5.131.3659.0 172,664 Xenroll.dll
05-Aug-2002 5.131.2195.5938 48,568 Scrdenrl.dll
back to the top
Windows NT 4.0 (All Versions)
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate the computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to the computer. See the associated
Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If the computer is sufficiently at risk, we recommend that you apply this hotfix now.
To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
Download Information
The following files are available for download from the Microsoft
Download Center:
Windows NT 4.0English:
Download the Q323172 package nowArabic:
Download the Q323172 package nowChinese (Simplified):
Download the Q323172 package nowChinese (Traditional):
Download the Q323172 package nowChinese (Hong Kong):
Download the Q323172 package nowCzech:
Download the Q323172 package nowDanish:
Download the Q323172 package nowDutch:
Download the Q323172 package nowFinnish:
Download the Q323172 package nowFrench:
Download the Q323172 package nowGerman:
Download the Q323172 package nowHebrew:
Download the Q323172 package nowHungarian:
Download the Q323172 package nowItalian:
Download the Q323172 package nowJapanese:
Download the Q323172 package nowJapanese NEC:
Download the Q323172 package nowKorean:
Download the Q323172 package nowNorwegian:
Download the Q323172 package nowPolish:
Download the Q323172 package nowPortuguese (Brazilian):
Download the Q323172 package nowRussian:
Download the Q323172 package nowSpanish:
Download the Q323172 package nowSwedish:
Download the Q323172 package nowThai:
Download the Q323172 package nowRelease Date: August 28, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.
Installation Information
Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.
To apply this update on a Windows NT 4.0 client, the user who is logged on must be a member of the local Power Users group or the Administrators group.
Downloads of the Certificate Enrollment control (Xenroll.dll) to Alpha-based client computers from Windows NT 4.0 Server that has certificate services installed is no longer supported.
You must restart your computer after you apply this update. This update supports the following Setup switches:
- -y: Perform uninstall (only with -m or -q).
- -f: Force programs to be closed at shutdown.
- -n: Do not create an Uninstall folder.
- -z: Do not restart when update completes.
- -q: Quiet or Unattended mode with no user interface (this switch is a superset of -m).
- -m: Unattended mode with user interface.
- -l: List installed hotfixes.
- -x: Extracts the files without running Setup.
For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:
WARNING: Your computer is vulnerable until you restart it.
File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the
Time Zone tab in the Date and Time tool in Control Panel.
Date Version Size File name
------------------------------------------------
09-Jul-2002 5.131.3659.0 172,664 Xenroll.dll
back to the top
Windows Millennium Edition, Windows 98 Second Edition, and Windows 98
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated
Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now.
To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please visit the following Microsoft Web site:
NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
Download Information
The following files are available for download from the Microsoft
Download Center:
Windows Millennium Edition:
Windows 98 and Windows 98 Second Edition:
Release Date: August 28, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.
Installation Information
Before you apply this update, close all programs, Internet Explorer browser sessions, and Web services.
File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the
Time Zone tab in the Date and Time tool in Control Panel.
Date Version Size File name
------------------------------------------------
09-Jul-2002 5.131.3659.0 172,664 Xenroll.dll
back to the top
MORE INFORMATION
Client Information
After you apply this update to a client computer, the client cannot enroll with a Web server for which the update has not been applied. If you are using this client, you may experience Web pages that stop responding, you may receive error messages that state the ActiveX Control could not be downloaded, or enrollment may not be successful.
When a client computer for which the updated control has not been applied tries to enroll with a Web server that has been updated, the Web server downloads the updated control to the client computer.
IMPORTANT: Even if a Web site has been updated and client enrollment is successful, you must update the client computer to remove this vulnerability. Netscape browsers do not use the Certificate Enrollment control when enrolling with a Microsoft Windows Certificate Server; however, the client computers must be updated to remove this vulnerability.
Server Information
If you operate a Web site that uses the Certificate Enrollment control, you must make minor revisions to your Web programs to use the new control. Both Windows NT 4.0-based servers and Windows 2000-based servers that host Certificate Services Web enrollment pages must be updated with the new Certificate Enrollment control and the Smartcard Enrollment control. If a Windows certification authority (CA) also has Web enrollment services installed on separate Internet Information Services (IIS)-based servers, you must also apply the server update to those Web sites. Third-party Web sites that use either of these controls must also update any Web pages that use these controls. The Web site must refer to the new class identifier (ID) and version of Xenroll.dll and Scrdenrl.dll:
- Old Xenroll.dll information:
Class ID: {43F8F289-7A20-11D0-8F06-00C04FC295E1}
- New Xenroll.dll information:
Class ID: {127698e4-e730-4e5c-a2b1-21490a70c8a1}
sXEnrollVersion="5,131,3659,0"
- Old Scrdenrl.dll information:
Class ID: {80CB7887-20DE-11D2-8D5C-00C04FC29D45}
- New Scrdenrl.dll information:
Class ID: {c2bbea20-1f2b-492f-8a06-b1c5ffeace3b}
sScrdEnrlVersion="5,131,2195,5938"
The Windows 2000 update will automatically update the Windows 2000 CA Web enrollment pages to use the new controls for Windows client enrollment. Third-party CAs must provide appropriate patches or update Web pages appropriately to use the new Xenroll.dll control class ID.
The Smartcard Enrollment control is only used with Windows 2000 CAs. This control does not apply to Windows NT 4.0, Windows 98, Windows 98 Second Edition, or Windows Millennium Edition.
The following Web pages are updated on a Windows 2000 CA:
Certdat.inc
Certsgcl.inc
Certsces.asp
To manually patch a Windows NT 4.0-based server that has Certificate Services installed, follow these steps:
- Type the following command at a command prompt to manually extract the updated files to a temporary folder:
- Replace the Windows_folder\System32\Certsrv\Certcontrol\Xenroll.cab file with the new version that you extracted in step 1.
- Install the update as you typically would by running Q323172i.exe, and then restart the computer when you are prompted.
- Update the following Active Server Pages (ASP) pages to include the new Xenroll class ID (CLSID) and proper version information:
- Windows_folder\System32\Certsrv\CertEnroll\Ceaccept.asp
- Windows_folder\System32\Certsrv\\CertEnroll\Ceenroll.asp
To do so:- In each Web page, change the old CLSID from:
classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1"
to:
classid="clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1"
- In each Web page, change the version number from:
CODEBASE="/CertControl/xenroll.cab#Version=5,131,2090,1"
to:
CODEBASE="/CertControl/xenroll.cab#Version=5,131,3659,0"
NOTE: If the web page does not reference the Xenroll CLSID or version-dependent ProgID directly, then it does not need to be updated. The fix which works for both old and new Xenroll is to use CreateObject with a version-independent ProgID.
- Verify that %SystemRoot%\WINNT\System32\CertSrv\CertControl\x86\Xenroll.dll has been replaced with the new version.
- Edit the Browscap.ini file in the %SystemRoot%\System32\Inetsrv folder to allow Internet Explorer 6.0 version browsers.
When a Web page has been successfully updated, if you are using a client that has not been updated, you receive the following message that indicates that the updated control is being downloaded and registered in the Internet Explorer browser:
Downloading ActiveX Control
You can use Windows 2000-based and Windows XP-based client computers in conjunction with the Web enrollment services pages on IIS and a Windows 2000 CA to enroll smartcards on behalf of other users. The Smartcard Enrollment station works through Internet Explorer on the client computer and IIS on the server that is hosting the CA Web enrollment pages (this is an optional component during CA installation). The new version of the Smartcard Enrollment control on an updated Web site is not marked "safe for scripting." You must manually configure the Internet Explorer browser to add the Web server computer that is hosting the Web enrollment pages to the list of trusted sites in the
Security tab of the Internet Explorer options. If you do not do so, the Smartcard Enrollment control will not be downloaded and it cannot be used. After the Web server has been added to the list of trusted sites, the Smartcard Enrollment pages still display the following warning (this message appears by design):
An Active control on this page might be unsafe to interact with other parts of the page. Do you want to allow this interaction yes/no?
Click
Yes to continue using the Smartcard Enrollment station Web pages.
If the Web server is not listed in the trusted sites in Internet Explorer, you receive the following error message:
The proper version of the ActiveX Control failed to download and install. You may not have sufficient permissions. Please ask your system administrator for assistance.
For additional information about possible problems installing Certificate Services after you apply this update, click the article number below
to view the article in the Microsoft Knowledge Base:
328595 Problems Installing Certificate Services After you Apply the Q323172 Patch
For more information about this vulnerability, visit the following Microsoft Web site:
For additional information about Windows Millennium Edition hotfixes, click the article number below
to view the article in the Microsoft Knowledge Base:
295413 General Information About Windows Millennium Edition Hotfixes
For additional information about Windows 98 and Windows 98 Second Edition hotfixes, click the article number below
to view the article in the Microsoft Knowledge Base:
206071 General Information on Windows 98 and SE Hotfixes