Microsoft: SSL flaw is in operating system, not Web browser
Network World - Microsoft Corp. said yesterday that the Secure Sockets Layer (SSL) flaw recently uncovered by an independent researcher is in multiple versions of the Windows operating system, not its Internet Explorer Web browser.
Company officials added that the flaw isn't in Microsoft's CryptoAPI application program interface (CAPI) either, which would have left a number of applications and Windows services vulnerable, not just Internet Explorer.
Security researcher Mike Benham reported that Internet Explorer had a security flaw that could undermine the security provided by SSL, a standard for securing online transactions and e-commerce (see story). The flaw opens a vulnerability called a man-in-the-middle attack, where the attacker can hijack an SSL session and decrypt messages that could contain credit card or Social Security numbers.
Microsoft said it's working on patches for Windows 98, Me, NT4, 2000 and XP. It wouldn't say when the patches would be available.
"This SSL flaw has been described as an [Internet Explorer] problem, but it is a Windows issue. It's in the crypto of the operating system, so we have to patch the OS," said Scott Culp, manager of the Microsoft Security Response Center. "IE is a consumer of those crypto services."
He described it as an "implementation problem in the way SSL certificates are processed, where information is not available in the certificate or it is available in two places and there is a conflict."
Culp said the flaw doesn't lie within CAPI but in the code that performs validation of SSL certificate chains, which refers to the hierarchy of trust that cascades from certificate authorities such as VeriSign Inc. The operating system must be patched, because Internet Explorer doesn't have its own cryptography code and must rely on the operating system for that service, he said.
Konqueror.org was able to patch its open-source Konqueror Web browser, which had the same SSL flaw as Internet Explorer, in less than 90 minutes because it uses its own built-in certification verification library.
Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.
But Culp said that the SSL flaw doesn't affect any other application outside Internet Explorer and that it's a client-side issue only.
The IDG News Service contributed to this report.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts