RE: Major IE SSL Vulnerability?

From: Emlyn O'regan (oregan.emlyn@healthsolve.com.au)
Date: Wed Aug 14 2002 - 21:05:57 MDT


Here's the top part of a confused warning email that I received about this
bug (first bringing it to my attention):

----
FYI you online shoppers (Windows XP is not vulnerable to this exploit)
 
SSL defeated in IE and Konqueror
By Thomas C Greene in Washington
Posted: 12/08/2002 at 06:38 GMT
A colossal stuff-up in Microsoft's and KDE's implementation of SSL (Secure
Sockets Layer) certificate handling makes it possible for anyone with a
valid VeriSign SSL site certificate to forge any other VeriSign SSL site
certificate, and abuse hapless Konqueror and Internet Explorer users with
impunity. 
----
Windows XP is not vulnerable? What a weird assertion, since this is
apparently a browser bug not originating in the OS. 
If true, it smacks of MS's past tactics of only adding fixes and new
features to newer versions of products, forcing upgrade. I'm particularly
suspicious about this one, given MS's recent security blitz; are they going
to wait for the sh*t to hit the fan, then announce that the only way to be
secure is to get their latest software (including XP)? Are SSL site
operators going to have to reject connections by users of ie5.5 and below,
thus creating a large scale distributed impetus for clients to upgrade?
Comments?
Emlyn
----
> -----Original Message-----
> From: Harvey Newstrom [mailto:mail@HarveyNewstrom.com]
> Sent: Thursday, 15 August 2002 12:04
> To: extropians@extropy.org
> Subject: Re: Major IE SSL Vulnerability?
> 
> 
> 
> On Wednesday, August 14, 2002, at 09:34 pm, Emlyn O'regan wrote:
> 
> > This has come up today, and is of some concern to me 
> professionally. I 
> > was
> > wondering whether anyone else here knows anything about it? 
> Harvey? I'm 
> > not
> > sure if it's real, or a big hoax.
> 
> This is real.  It is not a hoax.  Only Microsoft Internet 
> Explorer has 
> this bug.  It does not exist in Netscape or Opera or other browsers.  
> Microsoft's bug has existed for many releases because their 
> proprietary 
> code is not reviewed by anybody else.  OpenSSL and other open-source 
> libraries not only do not have this error, but have been quickly 
> confirmed by reviewers all over to be unaffected.  In my 
> opinion, this 
> is a good example why open source is more secure than secret source.
> 
> In typical response, Microsoft is trying to confuse the issue 
> and claim 
> it is too hard for people to really use this bug.  Despite 
> the many demo 
> sites demonstrating this bug, Microsoft says it is not a priority one 
> issue for them to fix.  VeriSign and other Certificate 
> Authorities seem 
> more interested in getting this problem fixed.  They have 
> done nothing 
> wrong, but are losing trust among customers because their 
> clients don't 
> utilize the security correctly.
> 
> --
> Harvey Newstrom, CISSP		<www.HarveyNewstrom.com>
> Principal Security Consultant	<www.Newstaff.com>
> 
> 
***************************************************************************
Confidentiality: The contents of this email are confidential and are
intended only for the named recipient. If the reader of this e-mail is not
the intended recipient you are hereby notified that any use, reproduction,
disclosure or distribution of the information contained in the e-mail is
prohibited. If you have received this e-mail in error, please reply to us
immediately and delete the document.
Viruses: Any loss/damage incurred by using this material is not the sender's
responsibility. Our entire liability will be limited to resupplying the
material. No warranty is made that this material is free from computer virus
or other defect.


This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:16:07 MST