http://www.siliconvalley.com/mld/siliconvalley/3851394.htm
Aug. 12, 2002
SAN FRANCISCO (Reuters) - Security researchers Monday said they have
found serious flaws in Microsoft Corp.'s Internet Explorer browser and
in PGP, a widely used data scrambling program, that could expose
credit card and other sensitive information of Internet users.
The Internet Explorer (IE) problem has been around for at least five
years and could allow an attacker to intercept personal data when a
user is making a purchase or providing information for e-commerce
purposes, said Mike Benham, an independent security researcher based
in San Francisco.
``If you ever typed in credit card information to an SSL site there's
a chance that somebody intercepted it,'' he added.
Internet Explorer fails to check the validity of digital certificates
used to prove the identity of Web sites, allowing for an ``undetected,
man in the middle attack,'' he said.
Digital certificates are typically issued by trusted certificate
authorities, such as VeriSign Inc., and used by Web sites in
conjunction with the Secure Sockets Layer (SSL) protocol for
encryption and authentication.
Anyone with a valid digital certificate for any Web site can generate
a valid certificate for any other Web site, according to Benham.
``I would consider this to be incredibly severe,'' he added.
Cryptography expert Bruce Schneier agreed.
``This is one of the worst cryptographic vulnerabilities I've seen in
a long time,'' said Schneier, co-founder and chief technology officer
at Counterpane Internet Security, a Cupertino, California-based
network monitoring firm.
``What this means is that all the cryptographic protections of SSL
don't work if you're a Microsoft IE user,'' Schneier added.
MICROSOFT DOWNPLAYS REPORT
Microsoft is investigating the IE flaw, said Scott Culp, manager of
the Microsoft Security Response Center. Certain mitigating factors
diminish the risk to users, he added.
For example, an attacker would have to create a fake Web site and
redirect people from a legitimate Web site to the fake one, according
to Culp.
``We're not, by any means, dismissing the report,'' he said. ''What we
are saying is that based on the preliminary investigation so far, it's
obvious there would be some daunting challenges with the scenario
that's been described.''
Benham and Schneier disagreed, noting that people fake Web sites all
the time and there are publicly available tools that allow attackers
to redirect Web surfers.
An attacker wouldn't even need to create a fake Web site, but could
merely intercept the data from a legitimate Web site without the
victim knowing, Benham said.
Benham wrote a program that demonstrates how easy it is to intercept
SSL connections and decrypt them.
``The reason SSL exists is to defend against these types of attacks,''
he said. ``If these types of attacks were so hard, nobody would have
to use SSL.''
Schneier released information Monday about a separate flaw in the PGP
(Pretty Good Privacy) program that is freely available and used to
encrypt messages sent over the Internet.
Schneier and Jonathan Katz of the University of Maryland at College
Park found a way an attacker could intercept a PGP encrypted message,
modify it without decrypting it, dupe the user into sending it back,
and retrieve the original message.
``It's beautiful mathematically, but in terms of seriousness, it's not
that serious,'' Schneier said.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo_at_attrition.org with 'unsubscribe isn'
in the BODY of the mail.
Received on Aug 13 2002
Intro
