Microsoft Corp. said yesterday that the Secure Sockets Layer (SSL) flaw recently uncovered by an independent researcher is in multiple versions of the Windows operating system, not its Internet Explorer Web browser.
Company officials added that the flaw isn't in Microsoft's CryptoAPI application program interface (CAPI) either, which would have left a number of applications and Windows services vulnerable, not just Internet Explorer.
Security researcher Mike Benham reported that Internet Explorer had a security flaw that could undermine the security provided by SSL, a standard for securing online transactions and e-commerce (see story). The flaw opens a vulnerability called a man-in-the-middle attack, where the attacker can hijack an SSL session and decrypt messages that could contain credit card or Social Security numbers.
Microsoft said it's working on patches for Windows 98, Me, NT4, 2000 and XP. It wouldn't say when the patches would be available.
"This SSL flaw has been described as an [Internet Explorer] problem, but it is a Windows issue. It's in the crypto of the operating system, so we have to patch the OS," said Scott Culp, manager of the Microsoft Security Response Center. "IE is a consumer of those crypto services."
He described it as an "implementation problem in the way SSL certificates are processed, where information is not available in the certificate or it is available in two places and there is a conflict."
Culp said the flaw doesn't lie within CAPI but in the code that performs validation of SSL certificate chains, which refers to the hierarchy of trust that cascades from certificate authorities such as VeriSign Inc. The operating system must be patched, because Internet Explorer doesn't have its own cryptography code and must rely on the operating system for that service, he said.
Konqueror.org was able to patch its open-source Konqueror Web browser, which had the same SSL flaw as Internet Explorer, in less than 90 minutes because it uses its own built-in certification verification library.
Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.
But Culp said that the SSL flaw doesn't affect any other application outside Internet Explorer and that it's a client-side issue only.
The IDG News Service contributed to this report.
This story, "Microsoft: SSL flaw is in operating system, not Web browser" was originally published by Network World.