Hello list, I have a question regarding the IE certificate chain vulnerability reported in MS02-050. The patch that fixes this vulnerability results in strange behavior of IE when a connection attempt is being made to a website which uses a malicious certificate. I have set up a demo that uses a malicious certificate (A) that is generated on 19-08-2002 by means of a website certificate (B) published by a default IE trusted third party (C). Certificate B is valid from 17-08-2002 until 16-11-2002. When I connect to the malicious website with the current date set on my client system (20-01-2003 at the time of this writing) the patched IE gives a warning about the validity date of the certificate and does not give any warnings regarding the faulty certificate chain. In my opinion IE should tell exactly why the certificate is not correct including the faulty chain. Most end users don't even bother the warning about the date and continue browsing. This happens all the time with valid certificates to so they have seen it before. When I set the date of my client system to a date between 19-08-2002 and 16-11-2002 it is not possible to connect to the malicious website. The default IE “DNS or …” error page is being displayed. The error displayed is not informative enough but IE at least keeps me from entering the malicious site. So even with a patched version of IE it is still possible to almost transparently exploit the chain vulnerability because of incorrect warnings. I have tested this on a W2KPro system with a patched IE 5.0. Has anybody also noticed this behavior? I have contacted Microsoft two weeks ago about this issue but they have not replied yet. - Alex
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 12:19:00 PST