We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft not scared by security flaw

Researchers claim IE flaw is severe, software maker not so sure

A security flaw in Microsoft's IE (Internet Explorer) web browser can completely undermine the supposedly watertight Secure Sockets Layer (SSL) standard for making online transactions and e-commerce watertight.

IE's implementation of SSL contains a vulnerability which allows what is described as an active, undetected, man-in-the-middle attack, where no dialogues are shown and no warnings are given.

Security researcher Mike Benham said the problem is that IE fails to check the Basic Constraints of certificates signed by intermediate Certificate Authorities (CAs). That means, as far as IE is concerned, anyone with a signed certificate for any domain can generate a certificate for any other domain, which will appear to be signed by a valid CA.

Describing the flaw, internet security website Hideaway.net said, "Spoofing a trusted website is thus a trivial exploit; when combined with session hijacking, a man-in-the-middle attack is quite feasible. This destroys the whole purpose of SSL certificates."

Benham said that IE 5.0 and IE 5.5 are totally vulnerable to this kind of exploit, and IE 6.0 is vulnerable under most circumstances.

"I would consider this to be incredibly severe," Benham said in a newsgroup thread. "Any of the standard connection hijacking techniques can be combined with this vulnerability to produce a successful man-in-the-middle attack. Since no warnings are given and no dialogues are shown, the attacker has effectively circumvented all security that an SSL certificate provides."

Microsoft, which is currently investigating the vulnerability report, believes such an attack would not be so simple to execute.

The scenario described by Benham would be difficult to exploit since it would require a man-in-the-middle attack, something a Microsoft spokeswoman called "technically difficult, temporary, and [requiring] favourable network topography".

The attack is also not as anonymous as Benham charges, as it needs a valid certificate and the CA that had issued the certificate would have a record showing who it had been sold to, Microsoft said.

Lastly, if the user were to inspect the certificate, they would find that it was from someone they hadn't heard of and should therefore be suspicious, the spokeswoman warned.

Microsoft has given no indications that it plans to fix this flaw, and Benham said his experience showed it would be difficult to get Microsoft to address the issue.

"Last week I saw Microsoft downplay and obfuscate the severity of the IE vulnerability that Adam Megacz reported," he wrote in the newsgroup thread. That vulnerability could allow JavaScript-enabled browsers to make available to an external attacker the contents of machines located on a local network or intranet.

"After seeing that, I don't feel like wasting time with the Microsoft PR department," Benham said.

Microsoft has long been an advocate of so-called "responsible disclosure", meaning that researchers ought to give their vulnerability findings to vendors and wait until a patch has been released before disclosing their information.

The policy has created controversy in the security research community, with some arguing that better security is achieved through full disclosure — the immediate publication of vulnerability information. In such circles, responsible disclosure is often derided as "security through obscurity".

Sticking to the responsible disclosure line, the spokeswoman said that "only Microsoft can investigate at a source code level; only Microsoft can build a patch, if needed".

"We're very concerned that publishing a report in this fashion could cause users to be concerned and apprehensive; if [Benham] had handled it correctly, we all would be in a better position to understand the real scope, and remediation [of the vulnerability]," she said.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model