Yet another bug has been found in Microsoft’s Internet Explorer browser,
this one said to potentially allow the theft of data from consumers who are
banking online or shopping at e-commerce Web sites.
is investigating, but has yet to make a formal
statement or issue a fix. One security expert was quoted as saying that “the
cryptographic protections of SSL don’t work if you’re a Microsoft IE user.”
The loophole could allow hackers to trick computer users into thinking they
are shopping at legitimate Web sites, exposing their credit card numbers and
other personal information.
The flaw was discovered by Mike Benham, a San Francisco programmer who
a note to the Bugtraq mailing list on the SecurityFocus Internet site,
outlining what he called the possibility of an undetected “man in the
Some security experts said it was a serious concern; others were quoted as
saying that the complexity and knowledge required to exploit the
vulnerability makes the probability of widespread attacks unlikely.
Benham said in his warning that Internet Explorer versions 5.0, 5.5 and 6.0
have loopholes in handling digital certificates, such as those from VeriSign
, which verify Web sites as being legitimate and also
include unique code for encrypting information.
Essentially, any Web site operator with a valid certificate could pretend to
be any other Web site operator, Benham said.
“I would consider this to be incredibly severe,” Benham said in his posting.
“Any of the standard connection hijacking techniques can be combined with
this vulnerability to produce a successful man in the middle attack.”
Netscape has no such loophole, he said.
Microsoft reportedly is still investigating and is unsure even whether to
call it a vulnerability, Scott Culp, manager of Microsoft’s Security
Center, was quoted as saying. However, Microsoft and VeriSign were said to
working together on the matter and a VeriSign spokesman said that no real
cases have been reported in which someone has successfully spoofed a Web
or gained information.
Internet Explorer has a long history of security flaws, almost all of which
have been patched at one time or another.