BBC NEWSAmericasAfricaEuropeMiddle EastSouth AsiaAsia Pacific
BBCiNEWS  SPORT  WEATHER  WORLD SERVICE  A-Z INDEX    

BBC News World Edition
 You are in: Technology 
News Front Page
Africa
Americas
Asia-Pacific
Europe
Middle East
South Asia
UK
Business
Entertainment
Science/Nature
Technology
Health
-------------
Talking Point
-------------
Country Profiles
In Depth
-------------
Programmes
-------------
BBC Sport
News image
BBC Weather
News image
SERVICES
Daily E-mail
News Ticker
Mobile/PDAs
-------------
Text Only
Feedback
Help
EDITIONS
Change to UK
Tuesday, 13 August, 2002, 10:20 GMT 11:20 UK
Microsoft looks into browser 'flaw'
Computer user at home
Computer users could be at risk from spoof sites
Microsoft is investigating reports that its popular Internet Explorer browser has a loophole that could expose a computer user's name, passwords and credit card numbers.

Malicious hackers taking advantage of the loophole could trick users into thinking they are visiting legitimate websites and could fool them into divulging personal information.

Security experts have described the problem as serious, though they say the complexity involved makes the probability of widespread attacks unlikely.

Microsoft is looking into the reports, but is playing down the risks to internet users.

Fool users

The problem was discovered by San Francisco programmer Mike Benham.


Based on the preliminary investigation so far, it's obvious there would be some daunting challenges with the scenario that's been described

Scott Culp, Microsoft
He said that Internet Explorer versions 5.0, 5.5 and 6.0 have loopholes in handling digital certificates which verify websites as being legitimate.

Anyone with a valid digital certificate for a website could generate a valid certificate for any other site and theoretically successfully intercept data sent to banking or e-commerce sites, according to Mr Benham.

"This is one of the worst cryptographic vulnerabilities I've seen in a long time," said cryptography expert Bruce Schneier of Counterpane Internet Security.

Daunting challenges

The software giant is looking into the issue, but is unsure even whether to call it a vulnerability, said Scott Culp, manager of Microsoft's Security Response Center.

"What we are saying is that based on the preliminary investigation so far, it's obvious there would be some daunting challenges with the scenario that's been described," he said.

Since reports of the problem first appeared, various e-commerce companies have been in touch with Microsoft.

Microsoft is working with VeriSign, one of the biggest providers of digital certificates, to resolve the problem.

So far neither company has received any reports of cases where someone has successfully spoofed a website or gained information.

See also:

19 Jun 02 | Business
12 Jun 02 | Business
27 May 02 | Science/Nature
17 Jan 02 | Science/Nature
21 Dec 01 | Science/Nature
27 Jun 02 | Science/Nature
19 Dec 01 | Science/Nature
Internet links:

Microsoft
Security Focus
Counterpane

The BBC is not responsible for the content of external internet sites
Top Technology stories now:

Real boss tackles online piracy
Hacker breaches credit card security
Intel looks to the future
Indian police hunt bandit online
Salon warns time is running out
Phone mast emissions 'well below limits'
Mobile phone firms look to future
Robots get cheeky
Links to more Technology stories are at the foot of the page.


E-mail this story to a friend

Links to more Technology stories

© BBC^^ Back to top

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East |
South Asia | UK | Business | Entertainment | Science/Nature |
Technology | Health | Talking Point | Country Profiles | In Depth |
Programmes

----------------------------------------------------------------------------------
To BBC Sport>> | To BBC Weather>> | To BBC World Service>>
----------------------------------------------------------------------------------
© MMIII | News Sources | Privacy