Severe IE Flaw Undermines SSL Security

IE's implementation of SSL contains a vulnerability which allows what is

described as an active, undetected, man-in- the-middle attack, where no

dialogs are shown and no warnings are given.

Security researcher Mike Benham said the problem is that IE fails to

check the Basic Constraints of certificates signed by intermediate

Certificate Authorities (CAs). That means that as far as IE is

concerned, anyone with a signed certificate for any domain can generate

a certificate for any other domain, which will appear to be signed by a

valid CA.

Describing the flaw, Internet security Web site Hideaway.net said:

"Spoofing a trusted Web site is thus a trivial exploit; when combined

with session hijacking, a man-in-the-middle attack is quite feasible.

This destroys the whole purpose of SSL certificates in the first place."

Benham said that IE 5 and IE 5.5 are totally vulnerable to this kind of

exploit, and IE 6 is vulnerable under most circumstances.

"I would consider this to be incredibly severe," Benham said in a

newsgroup thread. "Any of the standard connection hijacking techniques

can be combined with this vulnerability to produce a successful man in

the middle attack. Since no warnings are given and no dialogs are shown,

the attacker has effectively circumvented all security that an SSL

certificate provides."

Microsoft has given no indications that it plans to fix this flaw, and

Benham said his experience showed it would be difficult to get Microsoft

to address the issue.

"Last week I saw Microsoft downplay and obfuscate the severity of the IE

vulnerability that Adam Megacz reported," he wrote in the newsgroup

thread. That vulnerability could allow Javascript-enabled browsers to

make available to an external attacker the contents of machines located

on a local network or intranet.

"After seeing that, I don't feel like wasting time with the Microsoft PR

department," Benham said.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies