Another Microsoft Security Flaw Threatens Internet Users’ Trust
A security flaw in Microsoft’s Internet Explorer could expose personal information and undermine confidence in online commerce. If a patch is issued, all affected Microsoft products should be updated quickly.
On 12 August 2002, independent industry observers reported a serious security flaw in Microsoft’s Internet Explorer Web browser. The alleged flaw – in the way Internet Explorer handles the digital certificates that validate the identity of a Web server using a Secure Sockets Layer (SSL) connection – would give attackers an opportunity to pose as legitimate Web site operators and potentially gain access to sensitive personal information. Microsoft reports it is studying the reports but has not yet determined that the flaw exists.
The reported flaw seriously threatens Internet users’ confidence in the SSL protocol, developed by Netscape in the mid-1990s to provide transport-level security for information sent between Web browsers and Web servers. Since SSL’s inception, Internet users have come to believe that their sensitive personal information – including passwords and credit-card numbers – was protected whenever they went to an https link and saw the SSL lock symbol light up on their browser. However, the discovery of this apparent basic flaw in Microsoft’s ubiquitous Internet Explorer browser significantly undermines that level of trust.
An attack exploiting the reported flaw would be difficult to launch and not easily scriptable, and such a vulnerability would therefore not readily lend itself to mass attacks. However, the flaw would make Internet Explorer a prime target for identity theft because attackers could capture passwords or credit card information from Internet users who believe they are connected to a trusted site. With Internet Explorer code embedded in the Windows operating system and many other Microsoft software products, users should consider the possibility that other Microsoft products using SSL have the same flaw.
Gartner considers the reported flaw to be a medium-level vulnerability (see “Internet Vulnerability Risk Rating Methodology”). However, active exploitation of the flaw could greatly undermine users’ confidence in e-commerce by making them reluctant to send passwords or credit-card information over the Internet. If Microsoft issues a patch, enterprises should update all Microsoft browsers and update intrusion detection and vulnerability scanning products to detect session hijacking attempts.
Analytical Source: John Pescatore, Gartner Research
Written by Terry Allan Hicks, Gartner News
Recommended Reading and Related Research “Secure Sockets Layer Sometimes Isn’t” – SSL can be highly effective but can also give Internet users a false sense of security. By John Pescatore and Vic Wheatman “New Web Vulnerabilities Require Immediate Action” – A growing number of flaws in Web software make security reviews an urgent enterprise need. By John Pescatore
(You may need to sign in or be a Gartner client to access all of this content.)