Google
Web pcflank.com
PC Flank Logo
 Make sure
you're protected
on all sides
 Test Your System
 PC Flank Leaktest NEW!
 Quick Test
 Stealth Test
 Browser Test
 Trojans Test
 Advanced Port Scanner
 Exploits Test
 Internet Speed Test NEW!
 Ask the experts
 Leak Tests Catalog NEW!
 Glossary
 Free Security Software
 Comparison & Download NEW!

 

Tip of the day
Do not run files obtained from ICQ. Check them with anti-virus software first.
Security News

Another IE flaw could expose users' data

August 14, 2002

Microsoft is investigating claims that its popular Internet Explorer (IE) software has a security flaw that could enable a malicious Web site operator to hijack user sessions and steal their credit card numbers and other sensitive data.

Malicious web site operators taking advantage of the flaw could trick users into thinking they are visiting legitimate Web sites, and could convince them to disclose personal information.

The loophole lies in IE's implementation of SSL (Secure Socket Layer). When a user connects via the SSL protocol to a Web site, the user's browser will check the certificate to ensure that the domain listed on it matches the ones to which the browser is connected. Such certificates are typically issued and signed by CAs (certificate authorities) such as VeriSign Inc. and list the URL of the Web site to which they are issued.

As far as IE fails to verify the validity of digital certificates, anyone with a signed certificate for any domain could generate a certificate for any other domain, which would appear to be signed by a valid CA.

The most likely and destructive attack scenario for this loophole would be a so-called an active, undetected, man-in-the-middle attack, where no dialogs are shown and no warnings are given. So a malicious Web site operator could generate and sign a bogus to pretend to be any other Web site operator.

Hypothetically attackers could successfully hijack computer users -- such as over a company's internal network -- as they went to banking or e-commerce Web sites and intercept their information. Or they could send hijacked users to dummy Web sites and trick them to give personal information.

Reportedly, IE 5 and IE 5.5 are vulnerable to this kind of exploit, and IE 6 is vulnerable under most circumstances.

Microsoft is still investigating and is uncertain even whether to call it 'vulnerability', said Scott Culp, manager of Microsoft's Security Response Center. The possible flaw comes as Microsoft has launched a high-profile effort, called its Trustworthy Computing initiative, to resolve security concerns. But problems remain.

Two other browsers, KDE's open-source Konqueror and Opera Software ASA's Opera, are also vulnerable to this attack. Both organizations have already released updates that fix the problem. Opera 6.05 for Windows, released Tuesday, fixes the flaw. KDE has made a fix for Konqueror available on the Concurrent Versions System.

 
 
Start Page
Make "PC Flank" your   
Start Page!   
Make

 
Sponsored links


   
 
   
Outpost Firewall PRO 3.0 - complete protection on the Internet!

 
Privacy Policy
    Advertiser Info		 Site Map
    Contact Us

 
 
© 2011 PC Flank Ltd. All rights reserved.