Vulnerability Note VU#399087

Internet Explorer incorrectly validates certificates when CRL checking is enabled

Original Release date: 17 May 2001 | Last revised: 25 Jun 2001


Microsoft Internet Explorer (IE) fails to properly validate certificates when CRL checking is enabled. As a result, sensitive information may be exposed.


Digital certificates are small documents used to authenticate and encrypt information transmitted over the Internet. One very common use of digital certificates is to secure electronic commerce transactions through SSL (Secure Socket Layer). The kind of certificates used in e-commerce transactions are called X.509 certificates. The X.509 certificates help a web browser and the user ensure that sensitive information transmitted over the Internet is readable only by the intended recipient. This requires verifying the recipient's identity and encrypting data so that only the recipient can decrypt it.

The "padlock" icon used by Internet Explorer (as well as Netscape and other browsers) is an indication that an SSL-secured transaction has been established to someone. It does not necessarily indicate to whom the connection has been established. Internet Explorer (and other browsers) take steps to warn users when DNS-based information conflicts with the strongly authenticated information contained in the X.509 certificates used in SSL transactions. These warnings are supplemental information to help users decide if they're connecting to whom they think they are connecting. These steps and warnings are designed to protect against attacks on the DNS information.

When IE is configured to automatically check a certificate revocation list (CRL) for revoked certificates, it fails to perform other checks to ensure that the certificate is valid. These checks include

  • checking to ensure the Certificate Authority (CA) that signed the certificate is trusted
  • checking the data on the certificate to ensure it has not expired
  • checking that the server name matches the name on the certificate

Failure to perform these checks provides a limited opportunity to an attacker to spoof a trusted web site. That is, an intruder may be able to lure or coerce a victim to visit a malicious web site and convince the victim that he or she is communicating with a trusted web site that has been authenticated with strong cryptography.

This vulnerability is similar in scope and effect to the problems discussed in CA-2000-05, CA-2000-08, and CA-2000-10. The CERT/CC has not received any reports of incidents involving those vulnerabilities. However, the typically sensitive nature of SSL-secured transactions magnifies the risk presented by this vulnerability. Furthermore, SSL-secured transactions are often assumed to be extremely safe because of the high degree of confidence in the underlying cryptographic protocols. While this vulnerability does not in any way represent a problem in the security of the underlying cryptographic protocols, it does highlight the need to consider implementation security in addition to protocol and cryptographic security when evaluating the overall security of any software system.

Finally, we disagree somewhat with Microsoft's claim that "DNS poisoning attacks are fraught with problems for an attacker." In our experience, attacks against name servers are rather common. See for example CA-2001-02 and CA-2000-03.


Attackers may be able to mislead people into exposing confidential information that the victim intends to provide to a trusted site.


Apply a patch as described in MS-01-027.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
MicrosoftAffected-17 May 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Our thanks to Microsoft for the information contained in their advisory.

This document was written by Shawn V. Hernan.

Other Information

  • CVE IDs: CAN-2001-0338
  • Date Public: 17 May 2001
  • Date First Published: 17 May 2001
  • Date Last Updated: 25 Jun 2001
  • Severity Metric: 1.13
  • Document Revision: 5


If you have feedback, comments, or additional information about this vulnerability, please send us email.