Security researchers on Monday said they have found serious flaws in Microsoft's Internet Explorer browser and in PGP, a widely used data scrambling program, that could expose credit card and other sensitive information of Internet users.
The Internet Explorer (IE) problem has been around for at least five years and could allow an attacker to intercept personal data when a user is making a purchase or providing information for e-commerce purposes, said Mike Benham, an independent security researcher based in San Francisco.
"If you ever typed in credit card information to an SSL site there's a chance that somebody intercepted it," he added.
Internet Explorer fails to check the validity of digital certificates used to prove the identity of Web sites, allowing for an "undetected, man in the middle attack," he said.
Digital certificates are typically issued by trusted certificate authorities, such as VeriSign Inc., and used by Web sites in conjunction with the Secure Sockets Layer (SSL) protocol for encryption and authentication.
Anyone with a valid digital certificate for any Web site can generate a valid certificate for any other Web site, according to Benham.
"I would consider this to be incredibly severe," he added.
Cryptography expert Bruce Schneier agreed.
"This is one of the worst cryptographic vulnerabilities I've seen in a long time," said Schneier, co-founder and chief technology officer at Counterpane Internet Security, a Cupertino, California-based network monitoring firm.
"What this means is that all the cryptographic protections of SSL don't work if you're a Microsoft IE user," Schneier added. Microsoft downplays report
Microsoft is investigating the IE flaw, said Scott Culp, manager of the Microsoft Security Response Center. Certain mitigating factors diminish the risk to users, he added.
For example, an attacker would have to create a fake Web site and redirect people from a legitimate Web site to the fake one, according to Culp.
"We're not, by any means, dismissing the report," he said. "What we are saying is that based on the preliminary investigation so far, it's obvious there would be some daunting challenges with the scenario that's been described."
Benham and Schneier disagreed, noting that people fake Web sites all the time and there are publicly available tools that allow attackers to redirect Web surfers.
An attacker wouldn't even need to create a fake Web site, but could merely intercept the data from a legitimate Web site without the victim knowing, Benham said.
Benham wrote a program that demonstrates how easy it is to intercept SSL connections and decrypt them.
"The reason SSL exists is to defend against these types of attacks," he said. "If these types of attacks were so hard, nobody would have to use SSL."
Schneier released information Monday about a separate flaw in the PGP (Pretty Good Privacy) program that is freely available and used to encrypt messages sent over the Internet.
Schneier and Jonathan Katz of the University of Maryland at College Park found a way an attacker could intercept a PGP encrypted message, modify it without decrypting it, dupe the user into sending it back, and retrieve the original message.
"It's beautiful mathematically, but in terms of seriousness, it's not that serious," Schneier said
Linear Mode
