Latest IE Flaw an E-Commerce Threat?

Another in a long string of loopholes is reported in the browser, this one allowing hackers to spoof a site and obtain personal data from consumers.


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

On-Demand Webinar

Posted August 13, 2002

Beth Cox

Yet another bug has been found in Microsoft's Internet Explorer browser, this one said to potentially allow the theft of data from consumers who are banking online or shopping at e-commerce Web sites.

Microsoft is investigating, but has yet to make a formal statement or issue a fix. One security expert was quoted as saying that "the cryptographic protections of SSL don't work if you're a Microsoft IE user."

The loophole could allow hackers to trick computer users into thinking they are shopping at legitimate Web sites, exposing their credit card numbers and other personal information.

The flaw was discovered by Mike Benham, a San Francisco programmer who posted a note to the Bugtraq mailing list on the SecurityFocus Internet site, outlining what he called the possibility of an undetected "man in the middle" attack.

Some security experts said it was a serious concern; others were quoted as saying that the complexity and knowledge required to exploit the vulnerability makes the probability of widespread attacks unlikely.

Benham said in his warning that Internet Explorer versions 5.0, 5.5 and 6.0 have loopholes in handling digital certificates, such as those from VeriSign , which verify Web sites as being legitimate and also include unique code for encrypting information.

Essentially, any Web site operator with a valid certificate could pretend to be any other Web site operator, Benham said.

"I would consider this to be incredibly severe," Benham said in his posting. "Any of the standard connection hijacking techniques can be combined with this vulnerability to produce a successful man in the middle attack." Netscape has no such loophole, he said.

Microsoft reportedly is still investigating and is unsure even whether to call it a vulnerability, Scott Culp, manager of Microsoft's Security Response Center, was quoted as saying. However, Microsoft and VeriSign were said to be working together on the matter and a VeriSign spokesman said that no real cases have been reported in which someone has successfully spoofed a Web site or gained information.

Internet Explorer has a long history of security flaws, almost all of which have been patched at one time or another.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.