CVE-2009-0085

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008

Description A spoofing issue exists in the Secure Channel (SChannel) authentication component when certificate authentication is used. This allows remote attackers to spoof authentication by crafting a Transport Layer Security (TLS) packet based on knowledge of the certificate but not the private key. An attacker who successfully exploits this issue can authenticate to a server using only an authorized user's digital certificate and without the associated private key.

Recommendations For Microsoft Windows 2000 SP4, update the SChannel authentication component to prevent spoofing. For Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008, apply the necessary patch to fix the SChannel Spoofing Vulnerability. As a temporary workaround, consider restricting access to the SChannel authentication component until a patch is available.