CVE-2002-1183
Description
Microsoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A certificate validation flaw in Windows 98 and NT 4.0 allows remote attackers to execute arbitrary code by spoofing digital certificates.
Vulnerability
Microsoft Windows 98, Windows 98 Second Edition, and Windows NT 4.0 (including Terminal Server Edition) do not properly verify the Basic Constraints extension of digital certificates [1]. This flaw allows a certificate that is not a Certificate Authority (CA) certificate to be treated as a CA certificate, enabling identity spoofing. The vulnerability is present in the certificate validation logic of the affected operating systems.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious digital certificate that appears to be issued by a trusted CA. The attacker then hosts a website or sends an email containing an Authenticode-signed executable that uses this spoofed certificate. If a user visits the website or opens the attachment, the attacker can execute arbitrary code on the user's system. No authentication is required, but user interaction is necessary.
Impact
Successful exploitation allows the attacker to execute arbitrary code with the privileges of the logged-on user. The attacker could install programs, view, change, or delete data, or create new accounts with full user rights. The vulnerability also enables identity spoofing, as the attacker can present a certificate that appears to be from a trusted source.
Mitigation
Microsoft released security bulletin MS02-050 with patches for the affected systems [1]. For Windows 98 and Windows 98 Second Edition, the patch is available as part of the update. For Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition, the patch is also provided. Users should apply the appropriate patch immediately. No workarounds are documented in the bulletin.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5cpe:2.3:o:microsoft:windows_98:*:gold:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_98:*:gold:*:*:*:*:*:*
- (no CPE)
- cpe:2.3:o:microsoft:windows_98se:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_nt:4.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.securityfocus.com/bid/5410nvdExploitPatchVendor Advisory
- docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-050nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/9776nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1059nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1455nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2108nvd
News mentions
0No linked articles in our index yet.