Responding to a claim by U.S. security researcher Mike Benham that a security flaw in Microsoft Corp.’s Internet Explorer Web browser can completely undermine the supposedly watertight Secure Sockets Layer standard for securing online transactions and e-commerce, Microsoft Corp. said the recently uncovered flaw is in multiple versions of the Windows operating system and not in Internet Explorer.
Company officials added that the flaw also is not in Microsoft’s CryptoAPI (CAPI), which would leave a number of applications and Windows services vulnerable, not just IE.
The patch is available on the Microsoft Web site, titled Cumulative Patch for Internet Explorer (Q323759)
“This SSL flaw has been described as an [Internet Explorer] problem but it is a Windows issue. It’s in the crypto of the operating system so we have to patch the OS,” said Scott Culp manager of the Microsoft Security Response Center. “IE is a consumer of those crypto services.”
He said it is an “implementation problem in the way SSL certificates are processed where information is not available in the certificate or it is available in two places and there is a conflict.”
Culp said the flaw does not lie within CAPI but in the code that performs validation of SSL certificate chains, meaning the hierarchy of trust that cascades from certificate authorities such as VeriSign Inc. The OS must be patched because IE does not have its own cryptography code and must rely on the OS for that service, he said.
Benham reported that the IE flaw undermines the security provided by SSL by creating a vulnerability called a man-in-the-middle attack, where the attacker can hijack an SSL session and decrypt messages that could contain credit card numbers or social security numbers.
Microsoft said it would be difficult to exploit the flaw. The scenario described by Benham would be difficult to exploit since it would require the man-in-the-middle attack, something a Microsoft spokesperson called, in an e-mail to the IDG News Service, “technically difficult, temporary, and (requiring) favourable network topography.”
The attack is also not as anonymous as Benham charges, as it requires a valid certificate and the certificate authority that had issued the certificate would have a record of to whom it had been sold, the spokeswoman said. If the user were to inspect the certificate, they would find that it was from someone they hadn’t heard of and should therefore be suspicious, she added.
It is unknown how much this announcement will influence consumer confidence when using IE for Internet transactions. A spokesperson for eBay Canada said the company was looking into the problem but was not aware of any impact on its user levels. There has been no noticeable change or decrease in traffic to the company’s Web site due to the announcement, the spokesperson said.
Microsoft officials said it makes sense for the OS to provide cryptographic services to any application that needs it instead of each application having to include it’s own cryptographic technology.
But Culp said the SSL flaw does not effect any other application outside IE and that it is a client side issue only.
“That’s interesting, I’ll have to do some more testing,” Benham said. “Possibly this is a second can of worms.”
– With files from Chris Conrath