Flaws in Microsoft Internet Explorer found
By Our Convergence Bureau | 13 Aug 2002
San Francisco: Security researchers claim that they have found serious flaws in Microsoft’s Internet Explorer (IE) browser and in PGP, a widely-used data scrambling programme, that could expose credit card and other sensitive information of Internet users.
The IE problem has been around for at least five years and could allow an attacker to intercept personal data when a user is making a purchase or providing information for e-commerce purposes, says Mike Benham, an independent security researcher based in San Francisco.
“If you ever typed in credit card information to a Secure Sockets Layer (SSL) site, there’s a chance that somebody has intercepted it,” he adds. “IE fails to check the validity of digital certificates used to prove the identity of websites, allowing for an undetected, man-in-the-middle attack.”
Digital certificates are typically issued by trusted certificate authorities, such as VeriSign, and used by websites in conjunction with the SSL protocol for encryption and authentication. Anyone with a valid digital certificate for any website can generate a valid certificate for any other website, says Benham. “I would consider this to be incredibly severe.”
Cryptography expert Bruce Schneier, co-founder and chief technology officer at Counterpane Internet Security, a California-based network monitoring firm, agrees: “This is one of the worst cryptographic vulnerabilities I’ve seen in a long time. What this means is that all the cryptographic protections of SSL don’t work if you’re a Microsoft IE user.”