eWEEK Labs has discovered that Microsoft Corp.s Internet Explorer Version 5.0 and higher—as well as the companys IIS Web server—has a significant security incompatibility with other major Web browsers and with the Apache Software Foundations Apache HTTP Web server.
The incompatibility lies in how Microsoft has implemented digest access authentication, a World Wide Web Consortium standard (RFC 2617) that specifies how users can securely log in to Web servers. Digest authentication is widely acknowledged to be the best available Internet standard for this purpose.
The upshot is that IE cannot be used as a Web client for any Apache-based Web application that uses digest authentication. In addition, every non-IE browser we tested couldnt be used as a client for any Internet Information Services-based Web application that uses digest authentication. (We tested this with Mozilla.orgs Mozilla 0.9.9, Opera Software ASAs Opera 6.01 and the W3Cs reference browser implementation Amaya; Netscape Communications Corp.s Navigator doesnt currently support digest authentication. Static Web pages are not affected by the problem.)
Digest authentication hasnt had a big impact so far because it is a relatively new technology: IE 5.0 and IIS 5.0 (part of Windows 2000) were the first Microsoft products to support it. Mozilla, the foundation of the Navigator browser (and possibly the Web browser used in America Online Inc.s next client upgrade) gained digest authentication only in late December.
After eWEEK Labs alerted Microsoft to the discovery, a Microsoft spokesman stated that the company has identified the issue and will work on a fix. However, the representative also told eWEEK Labs that "the nature of this particular issue does not put customer data at risk or pose a known security threat, so the fix will be prioritized accordingly."
Paul Leach, Microsofts representative to the W3Cs digest authentication standards committee and one of the specifications authors, attributed the problem to how the definition of one part of the digest authentication header conflicted with other statements in the standard about how the header needed to be built. Microsoft went one way; everyone else went the other way.