COMMAND
CryptoAPI
SYSTEMS AFFECTED
Win2000
PROBLEM
Filip Schepers (ISS Brussels) found following. He was performing
a lock-down of a Windows 2000 Advanced Server with Service Pack 1
preinstalled, when he found out that the pre-SP1 hotfix, MS00-032
(Windows 2000 protected store vulnerability, KB article Q260219),
appeared not to have been installed (psbase.dll < 5.0.2195.2096),
even though Microsoft states this hotfix is included in Windows
2000 Service pack 1.
On the Technet Security website, Microsoft say the following about
this hotfix: "The patch can be applied atop Windows 2000 Gold,
and will be included in Windows 2000 Service Pack 1. However,
regardless of how the patch is applied, keymigrt still must be
run one time, to re-encrypt all its already in the Protected
Store." (sic)
Microsoft also states in KB article Q269428 that this hotfix was
included in sevice pack 1 :
http://support.microsoft.com/support/kb/articles/Q269/4/28.ASP
Original issue can be found at:
http://oliver.efri.hr/~crv/security/bugs/NT/capi2.html
After looking at the "offending" psbase.dll in the pre-SP1 hotfix
and SP1, it shows that the dll that comes with the pre-SP1 hotfix
is _newer_ than the dll that comes with the service pack. Also,
the bulletin mentions that people should run the keymigrt utility
that comes with the hotfix to upgrade protection of already
installed key material to strong crypto. This utility is not
installed with the service pack.
Also, it is not possible to install a pre-SP1 hotfix over a SP1
system (at least not by simply running the hotfix executable).
Filip investigated 2 SP1 systems: 1 Windows 2000 Professional
with the strong SP1 applied directly, and a Windows 2000 Advanced
Server with weak SP1 applied that was upgraded to strong using
the strong crypto pack. Filip hasn't been able to check a weak
SP1 only system, and don't know what happens if you would apply
the hotfix to a vanilla W2K, and then upgrade it to SP1.
SOLUTION
Nothing yet.