August 13, 2002, 12:00 AM — IE's implementation of SSL contains a vulnerability which allows what is
described as an active, undetected, man-in- the-middle attack, where no
dialogs are shown and no warnings are given.
Security researcher Mike Benham said the problem is that IE fails to
check the Basic Constraints of certificates signed by intermediate
Certificate Authorities (CAs). That means that as far as IE is
concerned, anyone with a signed certificate for any domain can generate
a certificate for any other domain, which will appear to be signed by a
Describing the flaw, Internet security Web site Hideaway.net said:
"Spoofing a trusted Web site is thus a trivial exploit; when combined
with session hijacking, a man-in-the-middle attack is quite feasible.
This destroys the whole purpose of SSL certificates in the first place."
Benham said that IE 5 and IE 5.5 are totally vulnerable to this kind of
exploit, and IE 6 is vulnerable under most circumstances.
"I would consider this to be incredibly severe," Benham said in a
newsgroup thread. "Any of the standard connection hijacking techniques
can be combined with this vulnerability to produce a successful man in
the middle attack. Since no warnings are given and no dialogs are shown,
the attacker has effectively circumvented all security that an SSL
Microsoft has given no indications that it plans to fix this flaw, and
Benham said his experience showed it would be difficult to get Microsoft
to address the issue.
"Last week I saw Microsoft downplay and obfuscate the severity of the IE
vulnerability that Adam Megacz reported," he wrote in the newsgroup
make available to an external attacker the contents of machines located
on a local network or intranet.
"After seeing that, I don't feel like wasting time with the Microsoft PR
department," Benham said.