The New York TimesA.P. IndexAugust 12, 2002  

Home
Job Market
Real Estate
Automobiles
News
International
National
Politics
Business
Technology
- Circuits
- Columns
Science
Health
Sports
New York Region
Education
Weather
Obituaries
NYT Front Page
Corrections
Opinion
Editorials/Op-Ed
Readers' Opinions


Features
Arts
Books
Movies
Travel
Dining & Wine
Home & Garden
Fashion & Style
New York Today
Crossword/Games
Cartoons
Magazine
Week in Review
Multimedia/Photos
College
Learning Network
Services
Archive
Classifieds
Personals
Theater Tickets
Premium Products
NYT Store
NYT Mobile
E-Cards & More
About NYTDigital
Jobs at NYTDigital
Online Media Kit
Our Advertisers
Member_Center
Your Profile
E-Mail Preferences
News Tracker
Premium Account
Site Help
Privacy Policy
Newspaper
Home Delivery
Customer Service
Electronic Edition
Media Kit
Community Affairs
Text Version

Discover New Topics in Depth


Get COVAD DSL. Only $21.95/mo.!


8,200 Mutual Funds, No Transaction Fees


Go to Advanced Search/Archive Go to Advanced Search/Archive Symbol Lookup
Search Optionsdivide
go to Member Center Log Out
  Welcome, malak

Microsoft Explorer May Have Flaw

By THE ASSOCIATED PRESS

Filed at 6:58 p.m. ET

SEATTLE (AP) -- Microsoft is investigating claims that its popular Internet Explorer software has a loophole that lets attackers pose as legitimate Web site operators, potentially giving them access to computer users' names, passwords and credit card numbers.

Although Microsoft said it's too soon to judge the severity of the problem -- and even whether the flaw exists -- some programmers and consultants said it could threaten the security of everything from online banking to Web-based commerce.

The problem is ``fairly serious,'' said Elias Levy, a member of software security company Symantec Corp.'s security response team. He said that the complexity involved makes the probability of widespread attacks unlikely.

Attackers taking advantage of the loophole could trick computer users into thinking they are visiting legitimate Web sites, and could convince them to divulge personal information.

Mike Benham, a San Francisco programmer who discovered the problem, posted his findings Aug. 5 on a popular security-alert Web site.

Benham said Internet Explorer versions 5.0, 5.5 and 6.0 have loopholes in handling Web sites' digital certificates, such as those from VeriSign, which verify Web sites as being legitimate and also include unique code for encrypting information.

Essentially, any Web site operator with a valid certificate could pretend to be any other Web site operator.

Theoretically, he said, attackers could successfully hijack computer users -- such as over a company's internal network -- as they went to banking or e-commerce Web sites and intercept their information. Or they could send hijacked users to dummy Web sites and get them to give personal information.

Other Web browsers, such as Netscape and Mozilla aren't vulnerable, Benham said.

Microsoft is still investigating and is unsure even whether to call it a vulnerability, said Scott Culp, manager of Microsoft's Security Response Center.

The possible flaw comes as Microsoft has launched a high-profile effort, called its Trustworthy Computing initiative, to resolve security concerns. But problems remain. The company has issued 41 security bulletins with patches so far this year.

Microsoft criticized Benham for not contacting Microsoft first when he discovered the problem, and instead posting it on the Internet. Benham said he did not directly notify Microsoft because he was frustrated by the company's response to other security researchers in the past.

Microsoft maintains it is difficult to wage an attack as Benham outlined, although Levy and another security expert, Bruce Schneier at Counterpane Internet Security, said it is possible.

``Investigating a security vulnerability sometimes takes a little bit longer than people may expect, because it's important that we be absolutely right about the answer we provide,'' Culp said. He added that Microsoft has not contacted Benham because they had sufficient information and doubted whether he was committed to helping solve the problem.

E-commerce companies have since contacted Microsoft about their concerns, Culp said.

VeriSign, one of the biggest providers of digital certificates, said it learned of the problem on Friday and contacted Microsoft, said Ben Golub, senior vice president of trust and payment services.

He said the two companies are working together to resolve the problem and that they don't know of any real cases yet where someone has successfully spoofed a Web site or gained information.

------

On the Net:

http://www.microsoft.com

http://www.securityfocus.com/




E-Mail This Article
Printer-Friendly Format
Most E-Mailed Articles
It's easy to follow the top stories with home delivery of The New York Times newspaper.
Click Here for 50% off.


Home | Back to A.P. | Search | Corrections | Help | Back to Top
Copyright 2002 The Associated Press | Privacy Policy
E-Mail This Article
Printer-Friendly Format
Most E-Mailed Articles


Track news that interests you.
Create Your Own | Manage Alerts
Take a Tour
Sign Up for Newsletters


You can be the first to know about promotions, offers and new products from select NYTimes.com advertisers. Click here to sign up.