[ISN] Security flaw found in Microsoft Web browser

From: InfoSec News (isnat_private)
Date: Tue Aug 13 2002 - 02:30:38 PDT

  • Next message: InfoSec News: "[ISN] The hacker's worst enemy? Another hacker"

    http://www.siliconvalley.com/mld/siliconvalley/3851394.htm
    
    Aug. 12, 2002
    
    SAN FRANCISCO (Reuters) - Security researchers Monday said they have 
    found serious flaws in Microsoft Corp.'s Internet Explorer browser and 
    in PGP, a widely used data scrambling program, that could expose 
    credit card and other sensitive information of Internet users.
    
    The Internet Explorer (IE) problem has been around for at least five 
    years and could allow an attacker to intercept personal data when a 
    user is making a purchase or providing information for e-commerce 
    purposes, said Mike Benham, an independent security researcher based 
    in San Francisco.
    
    ``If you ever typed in credit card information to an SSL site there's 
    a chance that somebody intercepted it,'' he added.
    
    Internet Explorer fails to check the validity of digital certificates 
    used to prove the identity of Web sites, allowing for an ``undetected, 
    man in the middle attack,'' he said.
    
    Digital certificates are typically issued by trusted certificate 
    authorities, such as VeriSign Inc., and used by Web sites in 
    conjunction with the Secure Sockets Layer (SSL) protocol for 
    encryption and authentication.
    
    Anyone with a valid digital certificate for any Web site can generate 
    a valid certificate for any other Web site, according to Benham.
    
    ``I would consider this to be incredibly severe,'' he added.
    
    Cryptography expert Bruce Schneier agreed.
    
    ``This is one of the worst cryptographic vulnerabilities I've seen in 
    a long time,'' said Schneier, co-founder and chief technology officer 
    at Counterpane Internet Security, a Cupertino, California-based 
    network monitoring firm.
    
    ``What this means is that all the cryptographic protections of SSL 
    don't work if you're a Microsoft IE user,'' Schneier added.
    
    MICROSOFT DOWNPLAYS REPORT
    
    Microsoft is investigating the IE flaw, said Scott Culp, manager of 
    the Microsoft Security Response Center. Certain mitigating factors 
    diminish the risk to users, he added.
    
    For example, an attacker would have to create a fake Web site and 
    redirect people from a legitimate Web site to the fake one, according 
    to Culp.
    
    ``We're not, by any means, dismissing the report,'' he said. ''What we 
    are saying is that based on the preliminary investigation so far, it's 
    obvious there would be some daunting challenges with the scenario 
    that's been described.''
    
    Benham and Schneier disagreed, noting that people fake Web sites all 
    the time and there are publicly available tools that allow attackers 
    to redirect Web surfers.
    
    An attacker wouldn't even need to create a fake Web site, but could 
    merely intercept the data from a legitimate Web site without the 
    victim knowing, Benham said.
    
    Benham wrote a program that demonstrates how easy it is to intercept 
    SSL connections and decrypt them.
    
    ``The reason SSL exists is to defend against these types of attacks,'' 
    he said. ``If these types of attacks were so hard, nobody would have 
    to use SSL.''
    
    Schneier released information Monday about a separate flaw in the PGP 
    (Pretty Good Privacy) program that is freely available and used to 
    encrypt messages sent over the Internet.
    
    Schneier and Jonathan Katz of the University of Maryland at College 
    Park found a way an attacker could intercept a PGP encrypted message, 
    modify it without decrypting it, dupe the user into sending it back, 
    and retrieve the original message.
    
    ``It's beautiful mathematically, but in terms of seriousness, it's not 
    that serious,'' Schneier said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 05:02:44 PDT