IDG News Service - A security flaw in Microsoft Corp.'s Internet Explorer Web browser could undermine the supposedly watertight Secure Sockets Layer (SSL) standard for securing online transactions and e-commerce, according to a security researcher.
Internet Explorer's implementation of SSL contains a vulnerability that allows what is described as an active, undetected, man-in-the-middle attack, where no dialogs are shown and no warnings are given.
Security researcher Mike Benham said the problem is that Internet Explorer fails to check the basic constraints of certificates signed by intermediate certificate authorities (CA). That means that, with respect to Internet Explorer, anyone with a signed certificate for any domain could generate a certificate for any other domain, which would appear to be signed by a valid CA.
Describing the flaw, Internet security Web site Hideaway.net said, "Spoofing a trusted Web site is thus a trivial exploit; when combined with session hijacking, a man-in-the-middle attack is quite feasible. This destroys the whole purpose of SSL certificates in the first place."
Benham said Internet Explorer 5 and Internet Explorer 5.5 are vulnerable to this kind of exploit, and Internet Explorer 6 is vulnerable under most circumstances.
"I would consider this to be incredibly severe," Benham said in a newsgroup thread. "Any of the standard connection hijacking techniques can be combined with this vulnerability to produce a successful man-in-the-middle attack. Since no warnings are given and no dialogs are shown, the attacker has effectively circumvented all security that an SSL certificate provides."
Microsoft, which is investigating the vulnerability report, wasn't as quick to call the exploit trivial.
The scenario described by Benham would be difficult to exploit since it would require a man-in-the-middle attack, something a Microsoft spokeswoman called, in an e-mail to the IDG News Service, "technically difficult, temporary, and [requiring] favorable network topography."
The attack is also not as anonymous as Benham charges because it requires a valid certificate, and the CA that had issued the certificate would have a record of whom it had been sold to, the spokeswoman said.
Finally, if the user inspected the certificate, he would find that it was from someone he hadn't heard of and he should therefore be suspicious, she added.
A spokesperson for Microsoft's Security Response Center said that once the investigation is completed, the company will take the action that best serves users.
Benham said his experience showed it would be difficult to get Microsoft to address the issue.
"Last week, I saw Microsoft downplay and obfuscate the severity of the IE vulnerability that Adam Megacz reported," he wrote in the newsgroup thread. That vulnerability could allow JavaScript-enabled browsers to make available to an external attacker the contents of machines located on a local network or intranet.
"After seeing that, I don't feel like wasting time with the Microsoft PR department," Benham said.
Microsoft has long been an advocate of so-called "responsible disclosure," meaning that researchers ought to give their vulnerability findings to vendors and wait until a patch has been released before disclosing information about vulnerabilities. The policy has created controversy in the security research community, with some arguing that better security is achieved through full disclosure, the immediate publication of vulnerability information. In such circles, responsible disclosure is often derided as "security through obscurity."
Sticking to the responsible disclosure line, the spokeswoman said that "only Microsoft can investigate at a source-code level; only Microsoft can build a patch, if needed."
"We're very concerned that publishing a report in this fashion could cause users to be concerned and apprehensive; if [Benham] had handled it correctly, we all would be in a better position to understand the real scope and remediation [of the vulnerability]," she said.
Computerworld reporter Linda Rosencrance contributed to this report.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
