Got root?
Posted on 08/14/2002 10:54:24 AM PDT by Dominic Harr
A serious flaw in SSL certificate handling reported by Mike Benham, affecting IE and Konqueror, has already been fixed by KDE's Waldo Bastian, we're pleased to mention.
The fix is available only in the CVS (Concurrent Versions System) tree at the moment, but KDE reckons it will have patched binaries available for its 3.0.3 version, available early next week. A patch for KDE 2.2.x is currently in the works.
As for Microsoft? According to Benham they haven't even replied to him yet. Apparently, real Trustworthy Computing takes an enormous amount of time.
Conversely, the speed with which the open source community jumps on security bugs and sorts them out is remarkable, and ought to be a solid selling point. Consider the nearly miraculous turnarounds by Mozilla.org on this bug, and this one. Consider a serious Apache bug fixed in less than 24 hours, though security sluts ISS shanked Apache.org with a premature-release publicity stunt.
SSL, we should point out, is one of the most important consumer security protocols in use on the Web. It's what makes your credit card transactions with pr0n sites appear safe. It's what persuades you that sensitive personal data which you entrust to a Web site is a secret between you and them. Only it's broken. Mozilla isn't affected; Opera (on Windows, at least) is fixed as of today; Konqueror will be fully patched by Monday or Tuesday, and IE is vulnerable and in Limbo while MS tries to figure out how to explain it to the teeming millions who trust their products, in preparation for eventually fixing it. But the spin comes first. That's the meaning of Trustworthy Computing.
Where do you want to go today? ®
By HELEN JUNG, AP Business Writer
SEATTLE - Microsoft is investigating claims that its popular Internet Explorer software has a loophole that lets attackers pose as legitimate Web site operators, potentially giving them access to computer users' names, passwords and credit card numbers.
Although Microsoft said it's too soon to judge the severity of the problem, and even whether the flaw exists, some programmers and consultants said it could threaten the security of everything from online banking to Web-based commerce.
The problem is "fairly serious," said Elias Levy, a member of software security company Symantec Corp.'s security response team. He said that the complexity involved makes the probability of widespread attacks unlikely.
Attackers taking advantage of the loophole could trick computer users into thinking they are visiting legitimate Web sites, and could convince them to divulge personal information.
Mike Benham, a San Francisco programmer who discovered the problem, posted his findings Aug. 5 on a popular security-alert Web site.
Benham said Internet Explorer versions 5.0, 5.5 and 6.0 have loopholes in handling Web sites' digital certificates, such as those from VeriSign, which verify Web sites as being legitimate and also include unique code for encrypting information.
Essentially, any Web site operator with a valid certificate could pretend to be any other Web site operator.
Theoretically, he said, attackers could successfully hijack computer users, such as over a company's internal network, as they went to banking or e-commerce Web sites and intercept their information. Or they could send hijacked users to dummy Web sites and get them to give personal information.
Other Web browsers, such as Netscape and Mozilla aren't vulnerable, Benham said.
Microsoft is still investigating and is unsure even whether to call it a vulnerability, said Scott Culp, manager of Microsoft's Security Response Center.
The possible flaw comes as Microsoft has launched a high-profile effort, called its Trustworthy Computing initiative, to resolve security concerns. But problems remain. The company has issued 41 security bulletins with patches so far this year.
Microsoft criticized Benham for not contacting Microsoft first when he discovered the problem, and instead posting it on the Internet. Benham said he did not directly notify Microsoft because he was frustrated by the company's response to other security researchers in the past.
Microsoft maintains it is difficult to wage an attack as Benham outlined, although Levy and another security expert, Bruce Schneier at Counterpane Internet Security, said it is possible.
"Investigating a security vulnerability sometimes takes a little bit longer than people may expect, because it's important that we be absolutely right about the answer we provide," Culp said. He added that Microsoft has not contacted Benham because they had sufficient information and doubted whether he was committed to helping solve the problem.
E-commerce companies have since contacted Microsoft about their concerns, Culp said.
VeriSign, one of the biggest providers of digital certificates, said it learned of the problem on Friday and contacted Microsoft, said Ben Golub, senior vice president of trust and payment services.
He said the two companies are working together to resolve the problem and that they don't know of any real cases yet where someone has successfully spoofed a Web site or gained information.
___
On the Net:
In case anyone wanted to know the count . . .
Opera bump!
Got root?
Kudoos to the KDE team!!!
:-D
Only if it's the full-version. The free version with the ads stinks.
So get on the TELSTAR and inform COMSTAT that HQ needs some BBQ ASAP, OK?
Couldn't resist. ;-)
I've been a happily paid-up Opera user since version 2.x. Spend more time in Opera every day than I do in bed, probably.
Stable, fast, clean configurable interface. Less prone to bugs/attacks than IE, etc.
Mmmmm...
Neither could I. ;-)
Ha!
With this company, anything is possible.
Progressively instrusive, restrictive, and obnoxious EULA bump!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.