| To find excuses and circular reasoning using Microsoft_Security_Failure_List, click below: | ||||
| click here >>> | Microsoft_Security_Failure_List | <<< click here | ||
| (To view all FR Bump Lists, click here) | ||||
Posted on 08/13/2002 10:31:08 AM PDT by flamefront
Security researchers say they have found a serious flaw in Microsoft's Internet Explorer browser that could expose credit card and other sensitive information of Internet surfers.
The IE problem has been around for at least five years and could allow an attacker to intercept personal data when a person is making a purchase or providing information for e-commerce purposes, said Mike Benham, an independent security researcher based in San Francisco.
"If you ever typed in credit card information to an SSL site, there's a chance that somebody intercepted it,'' he said, referring to the Secure Socket Layer protocol for encryption and authentification.
IE fails to check the validity of digital certificates used to prove the identity of Web sites, allowing for an "undetected, man in the middle attack,'' he said Monday.
Digital certificates are typically issued by trusted certificate authorities, such as VeriSign, and used by Web sites in conjunction with SSL. Anyone with a valid digital certificate for any Web site can generate a valid certificate for any other Web site, according to Benham.
"I would consider this to be incredibly severe,'' he added.
Cryptography expert Bruce Schneier agreed.
"This is one of the worst cryptographic vulnerabilities I've seen in a long time," said Schneier, chief technology officer at Counterpane Internet Security, a Cupertino, Calif.-based network monitoring company.
"What this means is that all the cryptographic protections of SSL don't work if you're a Microsoft IE user," Schneier said.
Hackers and security experts frequently find software flaws in IE.
Microsoft is investigating the newly discovered flaw, said Scott Culp, manager of the Microsoft Security Response Center. But certain mitigating factors diminish the risk, he added.
For example, an attacker would have to create a fake Web site and redirect people from a legitimate Web site to the fake one, according to Culp.
"We're not, by any means, dismissing the report,"he said. "What we are saying is that based on the preliminary investigation so far, it's obvious there would be some daunting challenges with the scenario that's been described."
Benham and Schneier disagreed, noting that people fake Web sites all the time and that there are publicly available tools that allow attackers to redirect Web surfers.
An attacker wouldn't even need to create a fake Web site, Benham asserted, but could merely intercept the data from a legitimate Web site without the victim knowing.
Benham wrote a program that demonstrates how easy it is to intercept SSL connections and decrypt them.
"The reason SSL exists is to defend against these types of attacks,'' he said. "If these types of attacks were so hard, nobody would have to use SSL."
Schneier also released information Monday about a separate flaw in the PGP (Pretty Good Privacy) program that is freely available and used to encrypt messages sent over the Internet.
Schneier and Jonathan Katz, a professor at the University of Maryland at College Park, found a way an attacker could intercept a PGP encrypted message, modify it without decrypting it, dupe the person into sending it back, and retrieve the original message.
"It's beautiful mathematically. But in terms of seriousness, it's not that serious,"Schneier said
Story Copyright © 2002 Reuters Limited. All rights reserved.
For fair use.
Got root?
NOTE: This Penguin Ping is a restoration. Check with me to make sure you're back on it.
| To find excuses and circular reasoning using Microsoft_Security_Failure_List, click below: | ||||
| click here >>> | Microsoft_Security_Failure_List | <<< click here | ||
| (To view all FR Bump Lists, click here) | ||||
Per originator's request.
We need to spend billions to make absolutely sure that our banking data is delivered securely into the hands of the minimum-wage drones who work in the kinds of sweatshops where paperwork like this is processed. What were you in for? |
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
I always get a kick out of these threads. OK, here's more proof that someone with an atomic-powered Cray 5 and the hacking skills of MacGuyver could make off with my credit card number.