IE Flaw Leaves Users Open to Data Theft
IT Management
SHARE
Facebook X Pinterest WhatsApp

IE Flaw Leaves Users Open to Data Theft

Written By
Dennis Fisher
Dennis Fisher
Aug 12, 2002
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

There is a severe flaw in Microsoft Corp.s ubiquitous Internet Explorer browser that could enable a malicious Web site operator to hijack user sessions and steal their credit card numbers and other sensitive data.

The flaw lies in the way that IE verifies the validity of digital certificates issued to Web sites that offer SSL (Secure Socket Layer)-enabled connections. Such certificates are typically issued and signed by CAs (certificate authorities) such as VeriSign Inc. and list the URL of the Web site to which they are issued. When a user connects via the SSL protocol to a Web site, the users browser will check the certificate to ensure that the domain listed on it matches the ones to which the browser is connected.

However, CAs often farm out the job of issuing certificates. So a user might get a VeriSign certificate that has been signed by an intermediate authority. In such a case, a users browser should check all of the same parameters on the intermediate certificate as well.

But, IE fails to check the domain on the intermediate certificate against the URL.

“So what does this mean? This means that as far as IE is concerned, anyone with a valid CA-signed certificate for any domain can generate a valid CA-signed certificate for any other domain,” researcher Mike Benham wrote in an advisory on the issue that he posted to BugTraq recently.

The most likely and damaging attack scenario for this flaw would be a so-called man-in-the-middle attack, wherein a malicious Web site operator could generate and sign a bogus certificate for Amazon.com, for example.

The vulnerability affects IE 5 and 5.5, and 6.0 in some cases.

“I would consider this to be incredibly severe. Any of the standard connection hijacking techniques can be combined with this vulnerability to produce a successful man in the middle attack. Since all you need is one constant CA-signed certificate and the corresponding private key, an attacker can use that to generate spoofed certificates for other domains as connections are intercepted on the fly,” Benham said in his advisory.

Benham did not alert Microsoft, of Redmond, Wash., to the problem before publishing his advisory, saying that he was disappointed in the way the company handled a vulnerability in IE reported by another researcher recently.

Also vulnerable to this attack is KDEs open-source Konqueror browser. KDE has made a fix available on the Concurrent Versions System.

Related stories:

  • Microsoft Sews Patch for IE
  • Whither Internet Explorer?
  • More Security Coverage
Dennis Fisher
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information