|Editions | myCNN | Video | Audio | Headline News Brief | Feedback||
Check digital certificates in Internet Explorer 4 and 5, users cautioned
(IDG) -- The Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University in Pittsburgh today issued a warning that newly found flaws in Internet Explorer could allow an attacker to trick users into disclosing information, such as credit-card numbers and personal data, intended for legitimate Web sites.
Internet Explorer (IE), Netscape Navigator and other browsers indicate when a Secure Socket Layer (SSL) encrypted transaction has been established, but the software doesn't indicate to whom the connection has been made. The flaws involve the way IE validates digital certificates through SSL.
Microsoft, which issued its own bulletin yesterday, said there are two vulnerabilities.
Microsoft identified IE 4.0, 4.01, 5 and 5.01 as the versions that contain these flaws. It said the chances of these vunerabilities occurring are "fairly restricted" because an attacker would need to inflict a domain name system (DNS) "poisoning" ÷ redirecting a domain name to another server ÷ or physically replace a server to carry out these attacks.
The company also issued a patch for these versions of IE. Microsoft didn't return calls for additional comments by press time.
In CERT's advisory, the organization advised users that, in addition to staying up-to-date on browser patches, they should check SSL connections before transmitting sensitive data. "DNS information is fundamentally insecure, and there are a variety of means by which an attacker can provide false or misleading DNS information," according to the advisory.
Users can look at certificate details within a browser after an SSL connection is established, and check that the certificate name belongs to the site to which they think they're sending data.
Picking up the (digital) check
RELATED IDG.net STORIES:
Feds issue list of top 10 Net threats
Microsoft Security Bulletin
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.