Microsoft: SSL flaw is in operating system, not Web browser
Network World - Microsoft Corp. said yesterday that the Secure Sockets Layer (SSL) flaw recently uncovered by an independent researcher is in multiple versions of the Windows operating system, not its Internet Explorer Web browser.
Company officials added that the flaw isn't in Microsoft's CryptoAPI application program interface (CAPI) either, which would have left a number of applications and Windows services vulnerable, not just Internet Explorer.
Security researcher Mike Benham reported that Internet Explorer had a security flaw that could undermine the security provided by SSL, a standard for securing online transactions and e-commerce (see story). The flaw opens a vulnerability called a man-in-the-middle attack, where the attacker can hijack an SSL session and decrypt messages that could contain credit card or Social Security numbers.
Microsoft said it's working on patches for Windows 98, Me, NT4, 2000 and XP. It wouldn't say when the patches would be available.
"This SSL flaw has been described as an [Internet Explorer] problem, but it is a Windows issue. It's in the crypto of the operating system, so we have to patch the OS," said Scott Culp, manager of the Microsoft Security Response Center. "IE is a consumer of those crypto services."
He described it as an "implementation problem in the way SSL certificates are processed, where information is not available in the certificate or it is available in two places and there is a conflict."
Culp said the flaw doesn't lie within CAPI but in the code that performs validation of SSL certificate chains, which refers to the hierarchy of trust that cascades from certificate authorities such as VeriSign Inc. The operating system must be patched, because Internet Explorer doesn't have its own cryptography code and must rely on the operating system for that service, he said.
Konqueror.org was able to patch its open-source Konqueror Web browser, which had the same SSL flaw as Internet Explorer, in less than 90 minutes because it uses its own built-in certification verification library.
Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.
But Culp said that the SSL flaw doesn't affect any other application outside Internet Explorer and that it's a client-side issue only.
The IDG News Service contributed to this report.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Accelerating Network Convergence in Virtualized and Cloud Data Centers Adopting a converged networking strategy enables organizations to traffic server and storage I/O workloads on consolidated data throughput channels. Intelligent software helps optimize...
- Omnichannel: From Buzzword to Strategy Customers demand a seamless experience across channels, especially mobile. Read this whitepaper for a research-based framework for using omnichannel for higher customer engagement.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts