Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

MS09-056: Vulnerabilities in CryptoAPI could allow spoofing


View products that this article applies to.

Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows.

↑ Back to the top


INTRODUCTION

Microsoft has released security bulletin MS09-056. To view the complete security bulletin, visit one of the following Microsoft Web sites:

How to obtain help and support for this security update


Help installing updates:
Support for Microsoft Update

Security solutions for IT professionals:
TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware:
Virus Solution and Security Center

Local support according to your country:
International Support

↑ Back to the top


More Information

Known issues that affect this security update


  • After you install this update on a computer that is running the System Center Configuration Manager 2007, Service Pack 1 (SP1) client or the System Center Configuration Manager 2007 Service Pack 2 (SP2) client, a user state migration may fail.

    For more information about how to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:

    977203 User state migration fails on a System Center Configuration Manager 2007 Service Pack 1 client or on a System Center Configuration Manager 2007 Service Pack 2 client after you install security update 974571

  • Services that are required by Communications Server are not started after you install this update and then restart a computer that is running any of the following versions of Communications Server:

    • Live Communications Server 2005 (LCS)
    • Live Communications Server 2005 SP1
    • Office Communications Server 2007 Enterprise edition (OCS)
    • Office Communications Server 2007 Standard edition
    • Office Communications Server 2007 R2 Enterprise edition
    • Office Communications Server 2007 R2 Standard edition
    • Office Communicator 2007 Evaluation version only*
    • Office Communicator 2007 R2 Evaluation version only*
    • Office Communicator 2005
    *The licensed production version of this application is not affected by this known issue. Only Office Communicator clients that are in their 180-day evaluation period are affected by this issue.





    When this problem occurs, the following error events are logged in the Application logs in the Event Viewer of the affected servers:

    • Live Communications Server 2005

      Event Type: Error
      Event Source: Live Communications Server
      Event Category: (1000)
      Event ID: 12290
      Date: Date
      Time: Time
      User: N/A
      Computer: Computer
      Description:
      The evaluation period for Microsoft Office Live Communication Server 2005 has expired. Obtain the released version of this product and upgrade to the non-evaluation version by running setup.exe.
    • Office Communications Server 2007

      Log Name: Office Communications Server
      Source: OCS Server
      Date: Date
      Event ID: 12290
      Task Category: (1000)
      Level: Error
      Keywords: Classic
      User: N/A
      Computer: Computer
      Description:
      The evaluation period for Microsoft Office Communications Server 2007 R2 has expired. Please upgrade from the evaluation version to the full released version of the product.




      Log Name: Office Communications Server
      Source: OCS Server
      Date: Date
      Event ID: 12299
      Task Category: (1000)
      Level: Error
      Keywords: Classic
      User: N/A
      Computer: Computer
      Description:
      The service is shutting down due to an internal error.


      Error Code: C3E93C23 (SIPPROXY_E_INVALID_INSTALLATION_DATA)
      Cause: Check the previous entries in the event log for the failure reason.
      Resolution:
      Check the previous event log entries and resolve them. Restart the server. If the problem persists, contact Product Support Services.







    When this problem occurs, the required services behave as if an expired trial version of the product is installed. This behavior affects the whole Communications Server enterprise that is hosted by the affected server or servers.

    Customers who are not running OCS or LCS server are not affected by this known issue, and can safely ignore this issue.

    Customers who have deployed the OCS or LCS product on a server should assess the risk that is involved to decide whether to install the security update on that server. These customers should revisit this Knowledge Base article often, because this article will be updated as soon as more information and a resolution are available.



  • When you deploy the Standard Edition role on a new installation of any version of Office Communications Server, activation fails if security update 974571 is installed. To resolve this problem, apply this fix, and then run the activation again. When activation fails, the following warning event is logged in the Office Communications Server log in the Event Viewer of the affected servers.

    This same event is also shown as a failure in the Activate Standard Edition Server log:
  • Issues with Windows 2000 Certificate Services and MS09-056


    Smartcard certificates that are issued by a Windows 2000 CA where the userPrincipalname (UPN) of the user is empty may include an incorrectly-formatted Subject Alternate Name (SAN) that contains an additional NULL character embedded.


    After MS09-056 is installed on domain controllers in the domain, those smartcards will be rejected during logon attempts. The domain controllers start rejecting their SAN after they have MS09-056 installed.



    To resolve the issue, reissue the affected users' smartcards. If a Windows 2000 CA will be used to reissue the new smartcard certificates, the UPN of the affected users must be populated before reissuing the smartcards.



↑ Back to the top


Resolution for these known issues




A fix that resolves this issue is available for download from the Microsoft Download Center. To obtain the fix, visit the following Microsoft Web page:



The fix (OCSASNFix.exe) is governed by the Microsoft Software License Agreement for Office Communications Server 2007 R2, Office Communications Server 2007, Live Communications Server 2005, Office Communicator 2007 R2, Office Communicator 2007, and Office Communicator 2005.



This fix works for both clients and servers, and it is applicable to the following roles for all versions of Office Communications Server and Live Communications Server 2005 SP1 and for evaluation versions of Office Communicator:


  • Standard Edition Server
  • Director server role
  • Enterprise Edition Consolidated
  • Enterprise Edition Distributed – Front End
  • Edge Server
  • Proxy server role
  • Office Communicator 2007 Evaluation version only
  • Office Communicator 2007 R2 Evaluation version only
  • Office Communicator 2005 Evaluation version only






To run the fix, type the following command at a command prompt, and then press ENTER:
ocsasnfix.exe
When you run the command on a computer that is running Office Communication Server 2007, Office Communication Server 2007 R2, or Live Communications server 2005 Service Pack 1, you receive a message that resembles the following:


Checking OCS/LCS Server installation...Fixing registry data
Checking Office Communicator 2007 Eval installation...not installed.
Checking Office Communicator 2005 Eval installation...not installed.


When you run the command on a computer that is running an evaluation version of Office Communication Server 2007, Office Communication Server 2007 R2, or Live Communications server 2005, you receive a message that resembles the following:


Checking OCS/LCS Server installation...not installed.
Checking Office Communicator 2007 Eval installation...Fixing registry data
Checking Office Communicator 2005 Eval installation...not installed.





This fix can be applied either before or after you install security update 974571. If you apply the fix after you install security update 974571, we recommend that you apply the fix before you restart the computer. If you already restarted the computer after you installed security update 974571, this fix can still be applied. However, the Office Communication Services must be started manually.


If all services start without any issues, this indicates that this fix has been applied and is working correctly.


This fix sets the OCSASNFIX DWORD value to 1 for the following registry subkey on the OCS 2007/R2 and LCS 2005-SP1 Server:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RtcSrv\InstallInfo\OCSASNFIX

Additional known issues with this security update

When you deploy the Standard Edition role on a new installation of any version of Office Communications Server, activation fails if security update 974571 is installed. To resolve this problem, apply the fix that is described in the "Resolution for these known issues" section, and then run the activation again.

↑ Back to the top


FILE INFORMATION

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

Windows 2000 file information

For all supported editions of Microsoft Windows 2000 Service Pack 4

File NameVersionDateTimeSize
msasn1.dll5.0.2195.733405-Sep-200906:3655,056

Windows XP and Windows Server 2003 file information

  • The files that apply to a specific service branch (QFE, GDR) are noted in the "Service branch" column.
  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. QFE service branches contain hotfixes in addition to widely released fixes.
  • In addition to the files that are listed in these tables, this software update also installs an associated security catalog file (KBnumber.cat) that is signed by using a Microsoft digital signature.

For all supported x86-based versions of Windows XP

File NameVersionDateTimeSizeService branch
msasn1.dll5.1.2600.362404-Sep-200908:1558,880SP2GDR
msasn1.dll5.1.2600.362404-Sep-200908:0658,880SP2QFE
msasn1.dll5.1.2600.587504-Sep-200908:3358,880SP3GDR
msasn1.dll5.1.2600.587504-Sep-200908:2758,880SP3QFE

For all supported x64-based versions of Windows Server 2003 and of Windows XP Professional x64 edition

File NameVersionDateTimeSizeCPUService branch
msasn1.dll5.2.3790.458409-Sep-200916:32159,744X64SP2GDR
wmsasn1.dll5.2.3790.458409-Sep-200916:3258,880X86SP2GDR\wow
msasn1.dll5.2.3790.458409-Sep-200916:29159,744X64SP2QFE
wmsasn1.dll5.2.3790.458409-Sep-200916:2958,880X86SP2QFE\wow

For all supported x86-based versions of Windows Server 2003

File NameVersionDateTimeSizeService branch
msasn1.dll5.2.3790.458404-Sep-200908:5858,880SP2GDR
msasn1.dll5.2.3790.458404-Sep-200910:0158,880SP2QFE

For all supported IA-64-based versions of Windows Server 2003

File NameVersionDateTimeSizeCPUService branch
msasn1.dll5.2.3790.458409-Sep-200916:29188,928IA-64SP2GDR
wmsasn1.dll5.2.3790.458409-Sep-200916:2958,880X86SP2GDR\wow
msasn1.dll5.2.3790.458409-Sep-200916:27188,928IA-64SP2QFE
wmsasn1.dll5.2.3790.458409-Sep-200916:2758,880X86SP2QFE\wow

Windows Vista and Windows Server 2008 file information

  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    VersionProductMilestoneService branch
    6.0.6000.16xxxWindows VistaRTMGDR
    6.0.6000.20xxxWindows VistaRTMLDR
    6.0.6001.18xxxWindows Vista SP1 and Windows Server 2008 SP1SP1GDR
    6.0.6001.22xxxWindows Vista SP1 and Windows Server 2008 SP1SP1LDR
    6.0.6002.18xxxWindows Vista SP2 and Windows Server 2008 SP2SP2GDR
    6.0.6002.22xxxWindows Vista SP2 and Windows Server 2008 SP2SP2LDR
  • Service Pack 1 is integrated into the release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000.xxxxxx version number.
  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.

For all supported x86-based versions of Windows Vista and Windows Server 2008

File NameVersionDateTimeSizeService branch
msasn1.dll6.0.6000.1692204-Sep-200900:0860,928Windows6.0-KB974571-x86\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6000.16922_none_c5603d92a849343f
msasn1.dll6.0.6000.2112204-Sep-200900:0260,928Windows6.0-KB974571-x86\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6000.21122_none_c5e9b27fc167074b
msasn1.dll6.0.6001.1832603-Sep-200923:5461,440Windows6.0-KB974571-x86\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6001.18326_none_c74a7d60a56c2a8c
msasn1.dll6.0.6001.2251504-Sep-200901:5361,440Windows6.0-KB974571-x86\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6001.22515_none_c7ddebb3be829235
msasn1.dll6.0.6002.1810603-Sep-200923:1160,928Windows6.0-KB974571-x86\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6002.18106_none_c9469106a28244f5
msasn1.dll6.0.6002.2221804-Sep-200901:4960,928Windows6.0-KB974571-x86\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6002.22218_none_c9c75e79bba6335e

For all supported x64-based versions of Windows Vista and Windows Server 2008

File NameVersionDateTimeSizeCPUService branch
msasn1.dll6.0.6000.1692204-Sep-200900:3284,480X64Windows6.0-KB974571-x64\amd64_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6000.16922_none_217ed91660a6a575
msasn1.dll6.0.6000.2112204-Sep-200900:3684,480X64Windows6.0-KB974571-x64\amd64_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6000.21122_none_22084e0379c47881
msasn1.dll6.0.6001.1832604-Sep-200900:2282,944X64Windows6.0-KB974571-x64\amd64_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6001.18326_none_236918e45dc99bc2
msasn1.dll6.0.6001.2251503-Sep-200923:5382,944X64Windows6.0-KB974571-x64\amd64_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6001.22515_none_23fc873776e0036b
msasn1.dll6.0.6002.1810603-Sep-200923:2482,944X64Windows6.0-KB974571-x64\amd64_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6002.18106_none_25652c8a5adfb62b
msasn1.dll6.0.6002.2221804-Sep-200902:0482,944X64Windows6.0-KB974571-x64\amd64_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6002.22218_none_25e5f9fd7403a494
msasn1.dll6.0.6000.1692204-Sep-200900:0860,928X86Windows6.0-KB974571-x64\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6000.16922_none_c5603d92a849343f
msasn1.dll6.0.6000.2112204-Sep-200900:0260,928X86Windows6.0-KB974571-x64\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6000.21122_none_c5e9b27fc167074b
msasn1.dll6.0.6001.1832603-Sep-200923:5461,440X86Windows6.0-KB974571-x64\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6001.18326_none_c74a7d60a56c2a8c
msasn1.dll6.0.6001.2251504-Sep-200901:5361,440X86Windows6.0-KB974571-x64\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6001.22515_none_c7ddebb3be829235
msasn1.dll6.0.6002.1810603-Sep-200923:11X86Windows6.0-KB974571-x64\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6002.18106_none_c9469106a28244f5
60,928msasn1.dll6.0.6002.2221804-Sep-200901:4960,928X86Windows6.0-KB974571-x64\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6002.22218_none_c9c75e79bba6335e

For all supported IA-64-based versions of Windows Server 2008

File NameVersionDateTimeSizeCPUService branch
msasn1.dll6.0.6001.1832603-Sep-200923:59185,856IA-64Windows6.0-KB974571-ia64\ia64_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6001.18326_none_c74c2156a56a3388
msasn1.dll6.0.6001.2251504-Sep-200900:14185,856IA-64Windows6.0-KB974571-ia64\ia64_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6001.22515_none_c7df8fa9be809b31
msasn1.dll6.0.6002.1810603-Sep-200923:04185,856IA-64Windows6.0-KB974571-ia64\ia64_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6002.18106_none_c94834fca2804df1
msasn1.dll6.0.6002.2221803-Sep-200923:09185,856IA-64Windows6.0-KB974571-ia64\ia64_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6002.22218_none_c9c9026fbba43c5a
msasn1.dll6.0.6001.1832603-Sep-200923:5461,440X86Windows6.0-KB974571-ia64\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6001.18326_none_c74a7d60a56c2a8c
msasn1.dll6.0.6001.2251504-Sep-200901:5361,440X86Windows6.0-KB974571-ia64\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6001.22515_none_c7ddebb3be829235
msasn1.dll6.0.6002.1810603-Sep-200923:1160,928X86Windows6.0-KB974571-ia64\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6002.18106_none_c9469106a28244f5
msasn1.dll6.0.6002.2221804-Sep-200901:4960,928X86Windows6.0-KB974571-ia64\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6002.22218_none_c9c75e79bba6335e

Windows 7 and Windows Server 2008 R2 file information

For all supported x86-based versions of Windows 7

File NameVersionDateTimeSizeService branch
msasn1.dll6.1.7600.1641528-Aug-200918:2734,816Windows6.1-KB974571-x86\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7600.16415_none_c77c1d48067c322c
msasn1.dll6.1.7600.2051828-Aug-200919:2034,816Windows6.1-KB974571-x86\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7600.20518_none_c808baf11f971dfb

For all supported x64-based versions of Windows 7 and Windows Server 2008 R2

File NameVersionDateTimeSizeCPUService branch
msasn1.dll6.1.7600.1641528-Aug-200919:2046,592X64Windows6.1-KB974571-x64\amd64_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7600.16415_none_239ab8cbbed9a362
msasn1.dll6.1.7600.2051828-Aug-200920:2046,592X64Windows6.1-KB974571-x64\amd64_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7600.20518_none_24275674d7f48f31
msasn1.dll6.1.7600.1641528-Aug-200918:2734,816X86Windows6.1-KB974571-x64\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7600.16415_none_c77c1d48067c322c
msasn1.dll6.1.7600.2051828-Aug-200919:2034,816X86Windows6.1-KB974571-x64\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7600.20518_none_c808baf11f971dfb

For all supported IA-64-based versions of Windows Server 2008 R2

File NameVersionDateTimeSizeCPUService branch
msasn1.dll6.1.7600.1641528-Aug-200917:48106,496IA-64Windows6.1-KB974571-ia64\ia64_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7600.16415_none_c77dc13e067a3b28
msasn1.dll6.1.7600.2051828-Aug-200918:26106,496IA-64Windows6.1-KB974571-ia64\ia64_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7600.20518_none_c80a5ee71f9526f7
msasn1.dll6.1.7600.1641528-Aug-200918:2734,816X86Windows6.1-KB974571-ia64\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7600.16415_none_c77c1d48067c322c
msasn1.dll6.1.7600.2051828-Aug-200919:2034,816X86Windows6.1-KB974571-ia64\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7600.20518_none_c808baf11f971dfb

↑ Back to the top


Applies to:

↑ Back to the top

Keywords: kb, kbsccm, atdownload, kbbug, kbexpertiseinter, kbfix, kblangall, kbmustloc, kbsecbulletin, kbsecreview, kbsecurity, kbsecvulnerability, kbsurveynew

↑ Back to the top

Article Info
Article ID : 974571
Revision : 3
Created on : 3/30/2017
Published on : 3/30/2017
Exists online : False
Views : 474