IT security professionals are facing the prospect of dealing with
one of the most serious flaws yet discovered in Microsoft Internet
Explorer.
The software giant is investigating a report on the security site
Bugtraq concerning problems with the way Internet Explorer handles
digital certificates. If the flaw is confirmed, users will have to
upgrade every copy of Internet Explorer on their site to fix the
problem.
"As soon as the investigation is complete we will know the best way
to protect our customers," a spokesperson for Microsoft said.
The loophole could allow hackers to create a spoof e-commerce site
and capture user names, passwords and credit card numbers. However,
"the scenario proposed would be difficult to pull off
successfully," the spokesperson added.
News of the potential problem could prove a major embarrassment for
Microsoft after last week's settlement with the US Federal Trade
Commission following allegations of poor security in Microsoft's
Passport authentication service.
In a posting on the Bugtraq site, Mike Benham, who found the hole,
said that by using his own digital certificate signed by a
certification authority (such as VeriSign) he would be able to
circumvent the strong security provided by SSL (secure socket
layer) within Internet Explorer.
He said his certificate could be made to look like it belonged to
another Web site. "I would consider this to be incredibly severe.
Any of the standard connection hijacking techniques can be combined
with this vulnerability to produce a successful man in the middle
attack," he said.
Richard Brain, technical director at ProCheckUp, which runs a
penetration testing service, said the flaw could allow a hacker to
spoof an e-commerce site. "A hacker could generate their own
certificate and imitate Amazon," he said.
The security hole occurs as a result of a problem in the way
Internet Explorer handles digital certificates. Certificates
provide users on the Internet with a means to confirm the Web site
they log into is genuine.
A bug in the way the certificates are checked within Internet
Explorer means it is possible to substitute genuine certificates
with a fake, said Benham.