Microsoft: SSL flaw is in operating system, not Web browser
Network World - Microsoft Corp. said yesterday that the Secure Sockets Layer (SSL) flaw recently uncovered by an independent researcher is in multiple versions of the Windows operating system, not its Internet Explorer Web browser.
Company officials added that the flaw isn't in Microsoft's CryptoAPI application program interface (CAPI) either, which would have left a number of applications and Windows services vulnerable, not just Internet Explorer.
Security researcher Mike Benham reported that Internet Explorer had a security flaw that could undermine the security provided by SSL, a standard for securing online transactions and e-commerce (see story). The flaw opens a vulnerability called a man-in-the-middle attack, where the attacker can hijack an SSL session and decrypt messages that could contain credit card or Social Security numbers.
Microsoft said it's working on patches for Windows 98, Me, NT4, 2000 and XP. It wouldn't say when the patches would be available.
"This SSL flaw has been described as an [Internet Explorer] problem, but it is a Windows issue. It's in the crypto of the operating system, so we have to patch the OS," said Scott Culp, manager of the Microsoft Security Response Center. "IE is a consumer of those crypto services."
He described it as an "implementation problem in the way SSL certificates are processed, where information is not available in the certificate or it is available in two places and there is a conflict."
Culp said the flaw doesn't lie within CAPI but in the code that performs validation of SSL certificate chains, which refers to the hierarchy of trust that cascades from certificate authorities such as VeriSign Inc. The operating system must be patched, because Internet Explorer doesn't have its own cryptography code and must rely on the operating system for that service, he said.
Konqueror.org was able to patch its open-source Konqueror Web browser, which had the same SSL flaw as Internet Explorer, in less than 90 minutes because it uses its own built-in certification verification library.
Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.
But Culp said that the SSL flaw doesn't affect any other application outside Internet Explorer and that it's a client-side issue only.
The IDG News Service contributed to this report.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Malware and Vulnerabilities White Papers | Webcasts