There is a severe flaw in Microsoft Corp.s ubiquitous Internet Explorer browser that could enable a malicious Web site operator to hijack user sessions and steal their credit card numbers and other sensitive data.
The flaw lies in the way that IE verifies the validity of digital certificates issued to Web sites that offer SSL (Secure Socket Layer)-enabled connections. Such certificates are typically issued and signed by CAs (certificate authorities) such as VeriSign Inc. and list the URL of the Web site to which they are issued. When a user connects via the SSL protocol to a Web site, the users browser will check the certificate to ensure that the domain listed on it matches the ones to which the browser is connected.
However, CAs often farm out the job of issuing certificates. So a user might get a VeriSign certificate that has been signed by an intermediate authority. In such a case, a users browser should check all of the same parameters on the intermediate certificate as well.
But, IE fails to check the domain on the intermediate certificate against the URL.
“So what does this mean? This means that as far as IE is concerned, anyone with a valid CA-signed certificate for any domain can generate a valid CA-signed certificate for any other domain,” researcher Mike Benham wrote in an advisory on the issue that he posted to BugTraq recently.
The most likely and damaging attack scenario for this flaw would be a so-called man-in-the-middle attack, wherein a malicious Web site operator could generate and sign a bogus certificate for Amazon.com, for example.
The vulnerability affects IE 5 and 5.5, and 6.0 in some cases.
“I would consider this to be incredibly severe. Any of the standard connection hijacking techniques can be combined with this vulnerability to produce a successful man in the middle attack. Since all you need is one constant CA-signed certificate and the corresponding private key, an attacker can use that to generate spoofed certificates for other domains as connections are intercepted on the fly,” Benham said in his advisory.
Benham did not alert Microsoft, of Redmond, Wash., to the problem before publishing his advisory, saying that he was disappointed in the way the company handled a vulnerability in IE reported by another researcher recently.
Also vulnerable to this attack is KDEs open-source Konqueror browser. KDE has made a fix available on the Concurrent Versions System.
- Microsoft Sews Patch for IE
- Whither Internet Explorer?
- More Security Coverage