Re: IE SSL Vulnerability

["Torbjörn" Hovmark <torbjorn.hovmark () abtrusion com>]

In-Reply-To: <Pine.BSO.4.33.0208031620550.8632-100000 () moxie thoughtcrime org>

Mike,

I have checked out your sample exploit, and I can confirm that my IE 5 is 
vulnerable. Regarding the post by Alex Loots, the certificate is a regular 
server certificate, not an intermediate CA with name constraints (if I 
have understood his message correctly) and the error certainly is in the 
client software and not anywhere else.

Is the error in the browser itself or is it in CryptoAPI? What about 
earlier versions of IE - are they vulnerable too. Are other Microsoft 
products that do certificate chain validation, such as IIS, vulnerable?

I agree that this is very, very serious, as it can easily be exploited 
against a large number of people at the same time, with very little risk 
of detection. There is not much that can be done to remedy the problem on 
the server side. A partial remedy would be to demand client certificates, 
but in most cases that requires completely changing the security 
infrastructure. SSL is used to protect most Internet banks. If SSL (or 
rather the IE implementation of SSL) can be broken this easily, it is very 
worrying indeed.

Best regards / Torbjörn Hovmark

______________________________________
Abtrusion Security AB
http://www.abtrusion.com