-Caveat Lector- FYI.
- jt -- http://www.eweek.com/article2/0,3959,462381,00.asp August 12, 2002 IE Flaw Leaves Users Open to Data Theft By Dennis Fisher There is a severe flaw in Microsoft Corp.'s ubiquitous Internet Explorer browser that could enable a malicious Web site operator to hijack user sessions and steal their credit card numbers and other sensitive data. The flaw lies in the way that IE verifies the validity of digital certificates issued to Web sites that offer SSL (Secure Socket Layer)-enabled connections. Such certificates are typically issued and signed by CAs (certificate authorities) such as VeriSign Inc. and list the URL of the Web site to which they are issued. When a user connects via the SSL protocol to a Web site, the user's browser will check the certificate to ensure that the domain listed on it matches the ones to which the browser is connected. However, CAs often farm out the job of issuing certificates. So a user might get a VeriSign certificate that has been signed by an intermediate authority. In such a case, a user's browser should check all of the same parameters on the intermediate certificate as well. But, IE fails to check the domain on the intermediate certificate against the URL. "So what does this mean? This means that as far as IE is concerned, anyone with a valid CA-signed certificate for any domain can generate a valid CA-signed certificate for any other domain," researcher Mike Benham wrote in an advisory on the issue that he posted to BugTraq recently. The most likely and damaging attack scenario for this flaw would be a so-called man-in-the-middle attack, wherein a malicious Web site operator could generate and sign a bogus certificate for Amazon.com, for example. The vulnerability affects IE 5 and 5.5, and 6.0 in some cases. "I would consider this to be incredibly severe. Any of the standard connection hijacking techniques can be combined with this vulnerability to produce a successful man in the middle attack. Since all you need is one constant CA-signed certificate and the corresponding private key, an attacker can use that to generate spoofed certificates for other domains as connections are intercepted on the fly," Benham said in his advisory. Benham did not alert Microsoft, of Redmond, Wash., to the problem before publishing his advisory, saying that he was disappointed in the way the company handled a vulnerability in IE reported by another researcher recently. Two other browsers, KDE's open-source Konqueror and Opera Software ASA's Opera, are also vulnerable to this attack. Both organizations have already released updates that fix the problem. Opera 6.05 for Windows, released Tuesday, fixes the flaw. KDE has made a fix for Konqueror available on the Concurrent Versions System. <A HREF="http://www.ctrl.org/">www.ctrl.org</A> DECLARATION & DISCLAIMER ========== CTRL is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance—not soap-boxing—please! These are sordid matters and 'conspiracy theory'—with its many half-truths, mis- directions and outright frauds—is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRLgives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://peach.ease.lsoft.com/archives/ctrl.html <A HREF="http://peach.ease.lsoft.com/archives/ctrl.html">Archives of [EMAIL PROTECTED]</A> http:[EMAIL PROTECTED]/ <A HREF="http:[EMAIL PROTECTED]/">ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om