We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,693 News Articles

Microsoft 'investigating IE hijack vulnerability'

Still in denial over two-month-old problem?


Microsoft is still reluctant to acknowledge a weakness in Internet Explorer that allows attackers to hijack secure web sessions

At the same time, browsers with the flaw he describes read x.509 certificates until they reach a null character, such as 0. If such a browser reads bestbank.com\0hacker.com, it would stop reading at the 0 and interpret the certificate as authenticating the root domain bestbank.com, the researcher says.

Browsers without the flaw correctly identify the root domain and sign or don't sign based on it.

An attacker could exploit the weakness by setting up a man-in-the-middle attack and intercepting requests from vulnerable browsers to set up SSL connections.

If the attacking server picks off a request to bestbank.com, it could respond with an authenticated x.509 certificate from bestbank.com\0hacker.com. The vulnerable browser would interpret the certificate as being authorised for bestbank.com and set up a secure session with the attacking server.

The user who has requested a session with bestbank would naturally assume the connection established was to bestbank.

Once the link is made, the malicious server can ask for passwords and user identifications that the attackers can exploit to break into users' bestbank accounts and manipulate funds, for example, Marlinspike says.

Wildcard authentication

In some cases attackers can create what Marlinspike calls wildcard certificates that will authenticate any domain name.

These certificates use an asterisk as the sub-domain followed by a null character followed by a registered root domain.

A vulnerable browser that initiated an SSL session with bestbank.com would interpret a certificate marked *\0hacker.com as coming from bestbank.com because it would automatically accept the * as legitimate for any root domain.

This is due to "an idiosyncrasy in the way Network Security Services (NSS) matches wildcards", Marlinspike says in a paper detailing the attack. Such a wildcard will match any domain, he says.

The differences between what users see on their screens when they hit the site they are aiming for and when they hit an attacker's mock site can be subtle. The URLs in the browser would reveal that the wrong site has been reached, but many users don't check for that, Marlinspike says.

A Microsoft spokesperson says Internet Explorer 8 highlights domains to make them more visually obvious, printed in black while the rest of the URL is grey.

"Internet Explorer 8's improved address bar helps users more easily ensure that they provide personal information only to sites they trust," Microsoft said.

Marlinspike says the null character vulnerability is not limited to browsers.

"Plenty of non-web browsers are also vulnerable. Outlook, for example, uses SSL to protect your login/password when communicating over SMTP and POP3/IMAP. There are probably countless other Windows-based SSL VPNs, chat clients, etc. that are all vulnerable as well," he said.

Broadband speed test

PC security advice

See also: Microsoft launches first online Office app preview


IDG UK Sites

Windows 9 release date, price, features: 30 September marked for unveiling

IDG UK Sites

Gateway to your kingdom: why everybody should check and update their broadband router

IDG UK Sites

Netflix whips up 3D VR viewing room for Oculus Rift during company hack day

IDG UK Sites

Best Mac? Complete Apple Mac buyers guide for 2014