Security flaw found in Microsoft Web browser

[InfoSec News <isn () c4i org>]

http://www.siliconvalley.com/mld/siliconvalley/3851394.htm

Aug. 12, 2002

SAN FRANCISCO (Reuters) - Security researchers Monday said they have 
found serious flaws in Microsoft Corp.'s Internet Explorer browser and 
in PGP, a widely used data scrambling program, that could expose 
credit card and other sensitive information of Internet users.

The Internet Explorer (IE) problem has been around for at least five 
years and could allow an attacker to intercept personal data when a 
user is making a purchase or providing information for e-commerce 
purposes, said Mike Benham, an independent security researcher based 
in San Francisco.

``If you ever typed in credit card information to an SSL site there's 
a chance that somebody intercepted it,'' he added.

Internet Explorer fails to check the validity of digital certificates 
used to prove the identity of Web sites, allowing for an ``undetected, 
man in the middle attack,'' he said.

Digital certificates are typically issued by trusted certificate 
authorities, such as VeriSign Inc., and used by Web sites in 
conjunction with the Secure Sockets Layer (SSL) protocol for 
encryption and authentication.

Anyone with a valid digital certificate for any Web site can generate 
a valid certificate for any other Web site, according to Benham.

``I would consider this to be incredibly severe,'' he added.

Cryptography expert Bruce Schneier agreed.

``This is one of the worst cryptographic vulnerabilities I've seen in 
a long time,'' said Schneier, co-founder and chief technology officer 
at Counterpane Internet Security, a Cupertino, California-based 
network monitoring firm.

``What this means is that all the cryptographic protections of SSL 
don't work if you're a Microsoft IE user,'' Schneier added.

MICROSOFT DOWNPLAYS REPORT

Microsoft is investigating the IE flaw, said Scott Culp, manager of 
the Microsoft Security Response Center. Certain mitigating factors 
diminish the risk to users, he added.

For example, an attacker would have to create a fake Web site and 
redirect people from a legitimate Web site to the fake one, according 
to Culp.

``We're not, by any means, dismissing the report,'' he said. ''What we 
are saying is that based on the preliminary investigation so far, it's 
obvious there would be some daunting challenges with the scenario 
that's been described.''

Benham and Schneier disagreed, noting that people fake Web sites all 
the time and there are publicly available tools that allow attackers 
to redirect Web surfers.

An attacker wouldn't even need to create a fake Web site, but could 
merely intercept the data from a legitimate Web site without the 
victim knowing, Benham said.

Benham wrote a program that demonstrates how easy it is to intercept 
SSL connections and decrypt them.

``The reason SSL exists is to defend against these types of attacks,'' 
he said. ``If these types of attacks were so hard, nobody would have 
to use SSL.''

Schneier released information Monday about a separate flaw in the PGP 
(Pretty Good Privacy) program that is freely available and used to 
encrypt messages sent over the Internet.

Schneier and Jonathan Katz of the University of Maryland at College 
Park found a way an attacker could intercept a PGP encrypted message, 
modify it without decrypting it, dupe the user into sending it back, 
and retrieve the original message.

``It's beautiful mathematically, but in terms of seriousness, it's not 
that serious,'' Schneier said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.