Microsoft Explore-ing Possible Flaw

(CBS)  Microsoft is investigating claims that its popular Internet Explorer software has a loophole that allows attackers to pose as legitimate Web site operators, potentially giving them access to computer users' usernames, passwords and credit card numbers.

Although Microsoft says it is too soon to judge the severity of the problem — and even whether a flaw exists — some programmers and consultants say it could threaten the security of everything from online banking to shopping at Amazon.com.

The problem is "fairly serious," said Elias Levy, with the security response team at Symantec, a security software company. However, the complexity involved makes the probability of widespread attacks unlikely, he said.

Attackers taking advantage of the loophole can trick computer users into thinking they are visiting legitimate Web sites, thereby convincing them to part with personal information.

Mike Benham, a San Francisco programmer who discovered the problem, posted his findings Aug. 5 on a popular security-alert Web site.

Benham said Internet Explorer versions 5.0, 5.5 and 6.0 have loopholes in handling Web sites' digital certificates, such as those from VeriSign, which verify Web sites as being legitimate and also include unique code for encrypting information.

Essentially, any Web site operator with a valid certificate could pretend to be any other Web site operator. Theoretically, he said, attackers could successfully hijack computer users — such as over a company's internal network — as they went to banking or e-commerce Web sites and intercept their information. Or they could send hijacked users to dummy Web sites and get them to give personal information.

Other Internet software, such as Netscape and Mozilla, is not vulnerable, Benham said.

Microsoft is still investigating and is unsure even whether to call it a vulnerability, said Scott Culp, manager of Microsoft's Security Response Center.

The possible flaw comes as Microsoft has launched a high-profile effort, called its Trustworthy Computing initiative, to resolve security concerns. But problems remain. The company has issued 41 security bulletins with patches so far this year.

Microsoft criticized Benham for not contacting Microsoft first when he discovered the problem, and instead posting it on the Internet. Benham said he did not directly notify Microsoft because he was frustrated by the company's response to other security researchers in the past.

Microsoft maintains it is difficult to wage an attack as Benham outlined, although Levy and another security expert, Bruce Schneier at Counterpane Internet Security, said it is possible.

"Investigating a security vulnerability sometimes takes a little bit longer than people may expect, because it's important that we be absolutely right about the answer we provide," Culp said. He added that Microsoft has not contacted Benham because it had sufficient information and doubted whether he was committed to helping solve the problem.

E-commerce companies have since contacted Microsoft about their concerns, Culp said.

VeriSign, one of the biggest providers of digital certificates, said it learned of the problem on Friday and contacted Microsoft, said Ben Golub, senior vice president of trust and payment services.

He said the two companies are working together to resolve the problem and that they don't know of any real cases yet where someone has successfully spoofed a Web site or gained information.