-----Original Message----- From: UNIRAS (UK Govt CERT) [mailto:[EMAIL PROTECTED]] Sent: 21 August 2002 14:00 To: [EMAIL PROTECTED] Subject: UNIRAS Brief - 264/02 - Microsoft + KDE - Recently discovered SSL vulnerability -----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------------ ---- UNIRAS (UK Govt CERT) Briefing Notice - 264/02 dated 21.08.02 Time: 14:05 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre) - ------------------------------------------------------------------------------ ---- UNIRAS material is also available from its website at www.uniras.gov.uk and Information about NISCC is available from www.niscc.gov.uk - ------------------------------------------------------------------------------ ---- Title ===== Recently discovered SSL vulnerability Detail ====== Departmental and organisational security officers should be aware that under certain circumstances it is possible to redirect an HTTPS web session. The circumstances are that: - - the IP address corresponding to the web address has been altered (either because a forged DNS update has been sent or because the DNS server has been compromised) - - the browser used does not check the basic constraints fields of the X.509 certificate used in an HTTPS session. For Microsoft Internet Explorer 6 there is also a dependency on whether the basic constraint fields are present in the X.509 certificate, as these fields are optional in the X.509 specification. Vulnerable browsers are all current versions of Microsoft Internet Explorer 5 and 6 and KDE Konqueror versions prior to 3.0.3. Microsoft are working on a patch for Internet Explorer. Microsoft Comment: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news /IARWSV.as p KDE Bulletin: http://www.kde.org/info/security/advisory-20020818-1.txt It is recommended that all users apply vendor patches when available. Konqueror 2.2.2 users should apply the patch at: ftp://ftp.kde.org/pub/kde/security_patches/post-2.2.2-kdelibs-kssl.diff or upgrade to Konqueror 3.0.3. If a patch is not available, users are recommended to check the validity of the certificate for any HTTPS sessions that they initiate. In Internet Explorer this can be done by clicking on the padlock at the base of the browser window. The certificate should match the web site name. If the names do not match, the session should be abandoned. Reference: http://online.securityfocus.com/archive/1/286290/2002-07-31/2002-08-06/0 http://online.securityfocus.com/archive/1/287050/2002-08-07/2002-08-13/2 - ------------------------------------------------------------------------------ ---- For additional information or assistance, please contact the HELP Desk by telephone or Not Protectively Marked information may be sent via EMail to: [EMAIL PROTECTED] Tel: 020 7821 1330 Ext 4511 Fax: 020 7821 1686 - ------------------------------------------------------------------------------ ---- UNIRAS wishes to acknowledge the contributions of KDE and Microsoft Corporation for the information contained in this Briefing. - ------------------------------------------------------------------------------ ---- This Briefing contains the information released by the original author. Some of the information may have changed since it was released. If the vulnerability affects you, it may be prudent to retrieve the advisory from the canonical site to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. - ------------------------------------------------------------------------------ ---- <End of UNIRAS Briefing> -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQCVAwUBPWOOoIpao72zK539AQEmGwP/Q3+LaAyXTIx45AE8PIYA85r1otFE4yPh QNi2miZYTKUtbQQ17xWk/7KQMSyc6dwBPY7Cm0ICDRJbIoKU+XIenqJ1MfM93GAt 1g0HGYzbHI0Y+T+dCxSLl6B54ftwYLXwHGX8rqfhr6mERzNZ44qMhyrfleLFdxY4 FdNLMGNf9bk= =h/PB -----END PGP SIGNATURE----- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk