Microsoft Windows contains a flaw due to the Terminal Services Licensing Certification Authority issuing two sub-certificates that could be used to sign arbitrary code. The "Microsoft Enforced Licensing Intermediate PCA" and "Microsoft Enforced Licensing Registration Authority CA" certificates could be used by a third party to sign arbitrary code so that it appeared to be from Microsoft. This could be used to trick a user into installing any software under the guise of it coming from a legitimate vendor.

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability. Check the vendor advisory or solution in the references section.

• Microsoft Knowledge Base Article: 2728973
• Vendor Specific Advisory URL: http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx
  http://technet.microsoft.com/en-us/security/advisory/2728973
• News Article: http://www.wired.com/threatlevel/2013/03/flame-windows-update-copycat/

• Not Available

NVD does not currently have a CVSSv2 score assigned.