BBC NEWS Americas Africa Europe Middle East South Asia Asia Pacific
BBCi NEWS   SPORT   WEATHER   WORLD SERVICE   A-Z INDEX     

BBC News World Edition
 You are in: Technology  
News Front Page
Africa
Americas
Asia-Pacific
Europe
Middle East
South Asia
UK
Business
Entertainment
Science/Nature
Technology
Health
-------------
Talking Point
-------------
Country Profiles
In Depth
-------------
Programmes
-------------
BBC Sport
BBC Weather
SERVICES
-------------
EDITIONS
Tuesday, 13 August, 2002, 10:20 GMT 11:20 UK
Microsoft looks into browser 'flaw'
Computer user at home
Computer users could be at risk from spoof sites
Microsoft is investigating reports that its popular Internet Explorer browser has a loophole that could expose a computer user's name, passwords and credit card numbers.

Malicious hackers taking advantage of the loophole could trick users into thinking they are visiting legitimate websites and could fool them into divulging personal information.

Security experts have described the problem as serious, though they say the complexity involved makes the probability of widespread attacks unlikely.

Microsoft is looking into the reports, but is playing down the risks to internet users.

Fool users

The problem was discovered by San Francisco programmer Mike Benham.


Based on the preliminary investigation so far, it's obvious there would be some daunting challenges with the scenario that's been described

Scott Culp, Microsoft
He said that Internet Explorer versions 5.0, 5.5 and 6.0 have loopholes in handling digital certificates which verify websites as being legitimate.

Anyone with a valid digital certificate for a website could generate a valid certificate for any other site and theoretically successfully intercept data sent to banking or e-commerce sites, according to Mr Benham.

"This is one of the worst cryptographic vulnerabilities I've seen in a long time," said cryptography expert Bruce Schneier of Counterpane Internet Security.

Daunting challenges

The software giant is looking into the issue, but is unsure even whether to call it a vulnerability, said Scott Culp, manager of Microsoft's Security Response Center.

"What we are saying is that based on the preliminary investigation so far, it's obvious there would be some daunting challenges with the scenario that's been described," he said.

Since reports of the problem first appeared, various e-commerce companies have been in touch with Microsoft.

Microsoft is working with VeriSign, one of the biggest providers of digital certificates, to resolve the problem.

So far neither company has received any reports of cases where someone has successfully spoofed a website or gained information.

See also:

19 Jun 02 | Business
12 Jun 02 | Business
27 May 02 | Science/Nature
17 Jan 02 | Science/Nature
21 Dec 01 | Science/Nature
27 Jun 02 | Science/Nature
19 Dec 01 | Science/Nature
Internet links:


The BBC is not responsible for the content of external internet sites

Links to more Technology stories are at the foot of the page.


E-mail this story to a friend

Links to more Technology stories

© BBC ^^ Back to top

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East |
South Asia | UK | Business | Entertainment | Science/Nature |
Technology | Health | Talking Point | Country Profiles | In Depth |
Programmes