|
 Man-In-The-Middle Attack
- Serious IE 5.X and 6.0 SSL Security Flaw Revealed
By DANIEL CALLOWAY,
TheWorldJournal.com
It was recently discovered that a serious flaw existed in the most prevalently installed and used browser throughout the world: Microsoft's Internet Explorer version 5.x and 6.0. Most vulnerable was the 6.0 version of the browser. This latest flaw is one that has many people scurrying to find a resolution because it affects the way we do business on the Internet.
Indeed, the flaw that was recently unveiled by Info World magazine and others in the Industry is a very serious flaw known as the Man-In-The-Middle-Attack security hole that was found in Internet Explorer but was not present in other browsers such as Netscape, Mozilla, and Opera. At first glance, the security hole might have been thought to be in the browser itself; however, on closer inspection, the problem isn't in the browser at all.
The security flaw I am referring to here relates to something known as SSL. SSL stands for Secure Socket Layer protocol, a protocol used on the Internet which secures our communication through the browser to Internet e-commerce sites as well as online banking institutions and almost every other business on the web where we provide our credit card or banking information when purchasing goods and services or conducting money transactions. When you visit one of these websites and you click on a button or visit a page to insert your credit card or banking information, you are taken to what you think is a secure site where your information is supposed to be encrypted so prying eyes won't be able to see it as it is being transmitted across secure lines over the Internet to the business', credit card company's or bank's server where this information is captured and processed. You are told that the site is secure due to the presence of a lock icon that appears in the system tray in the right-hand side of your PC's screen and because the web address of the site you're conducting business with changes from http:// ... to https:// ... indicating that the site is a secure site. The process uses the SSL to secure the site so information is encrypted and transmitted between you and the intended business, bank or credit card company. The problem here with the discovered flaw is that due to a problem with the way Microsoft's operating systems interact with the Internet Explorer browser, the SSL protocol can be defeated by a would-be hacker with malicious intent to steal your information.
Since the problem is not in the browser but the operating system and how it is intrinsicly tied to the Internet Explorer browser that causes the flaw in the way SSL is used by the browser, the problem either went undetected by Microsoft or they ignored the problem hoping others would not discover it until they could devise a fix or a patch to fix it.
When the recent serious flaw in SSL security was discovered and made public, Microsoft responded vigorously that it was irresponsible for parties to disclose information such as this without informing Microsoft of it first as Microsoft's response to the claim that it had a serious flaw in it's most widely used browser could have been delivered to the pubic in such a way as not
to - in Microsoft's claim - unintentionally overstate the flaw's importance and its impact on e-commerce. Microsoft's claim is that the flaw is serious but that for a would-be hacker to successfully pull off a man-in-the-middle attack into someone's Internet Explorer browser to read credit card or banking information would be very remote since it would require a very high degree of knowledge in the way both SSL works and how it is integrated into TCP/IP within the Operating System.
Needless to say, as a result of this discovery, Microsoft has scrambled to make available a patch for every version of its Windows operating systems that currently use the Internet Explorer 5.x or 6.0 browser (the most vulnerable version). As of this report, Microsoft has created a patch for all its operating systems except Windows 2000 Pro, Server, and Advanced Server. Patches are available for Windows 95, 98, 98SE, ME, NT 4.0, XP and XP 64-bit operating systems. Patches for the Windows 2000 series operating systems is yet to be released. To download the patch for your operating system, click on the link:
http://www.microsoft.com/technet/security/bulletin/ms02-050.asp
and then locate the correct patch for your system. Remember, you should install the patch that applies to your operating system or your online transactions will not be safe and secure.
We recommend that you backup all your critical data on the hard drive and update the system state information in those operating systems that will allow you to do so before installing any of these patches as the patches are making crucial changes in the operating systems themselves rather than in the Internet Explorer browsers that use them.
Related web sites:
Microsoft
Internet Explorer
Mozilla
Netscape
Browser
Opera Software
|
|
|
