TopNavCell
About us
 TopNavCell
News and press announcements
 TopNavCell
Jobs at Getronics PinkRoccade
 TopNavCell
Contact
 TopNavCell spacer
Wijzig taal naar Nederlands.
Online Services
Home » Support » Updates » Advisory: Managed PKI Client Security Vulnerability Patch
Advisory: Managed PKI Client Security Vulnerability Patch

Purpose

The purpose of this communication is to inform about the availability of a security patch for Managed PKI Client (MPKI) Local Hosting (including Go Secure! for Exchange and Go Secure! for Web Applications) customers. 

Security Vulnerability Detail

VeriSign has discovered a buffer overrun security vulnerability affecting all releases of MPKI. This buffer overrun vulnerability was found in VeriSign’s ConfigChk ActiveX control (VSCnfChk.dll), shipped as part of the MPKI Local Hosting site kit and included for download in the Remote Hosting site kit (the Digital ID Center Web pages hosted on the Processing Center back end), and also included as a part of Go Secure! for Exchange and Go Secure! for Web Applications.

This ActiveX control is downloaded during certificate enrollment to end-user machines running Internet Explorer (IE) browsers on Windows 95, 98, 2000, XP, 2003 and performs the following functions:

1. Check the version of cryptographic DLLs on Windows 95 and Windows 98  
2. Perform a browser version and cryptography strength check  
3. Perform a test key generation 
4. Check user privileges on the machine for power user rights

The ActiveX control is referenced on the enrollment pages and is downloaded to the client’s IE browser.

The patch (a new ActiveX control) can delivered to end users through an MSI package, or the end user can simply visit the enrollment page and download the updated CAB file containing the ActiveX control.

End users using CSR-based enrollment do not download the ActiveX control and therefore, are not affected by this vulnerability.

Recommended Action

We recommend you take the following actions:

1. Install the patch on your Local Hosted environments following the instructions in the release notes
2. Make the ActiveX control available to end users; your end users can download the ActiveX control via the enrollment pages for a client certificate
If you are using the MSI software package, you have to distribute the patched version to your users.

Please consult the release notes for further details.

Scope of Patch Release

This patch has been qualified with Managed PKI 6.0, 6.1.3, and 7.0 but should work with Managed PKI 5.x and OnSite 4.6.1. This patch will be applied to all future MPKI releases. This patch will not work with IE on Windows 95/98. Technical Support

We value your business and are committed to customer care.  Please contact us if we can assist or answer any questions.  Customer Support can be reached via email at pkisupport@getronics.com or via phone at +31 20 570 4733.

 

© 2007 Getronics PinkRoccade Nederland BV, Amsterdam| KvK nummer 34115845 /
Corporate legal notices / Algemene Voorwaarden | Sitemap | RSS