Microsoft Internet Explorer (IE) fails to properly validate certificates when CRL checking is enabled. As a result, sensitive information may be exposed.
Digital certificates are small documents used to authenticate and encrypt information transmitted over the Internet. One very common use of digital certificates is to secure electronic commerce transactions through SSL (Secure Socket Layer). The kind of certificates used in e-commerce transactions are called X.509 certificates. The X.509 certificates help a web browser and the user ensure that sensitive information transmitted over the Internet is readable only by the intended recipient. This requires verifying the recipient's identity and encrypting data so that only the recipient can decrypt it.
When IE is configured to automatically check a certificate revocation list (CRL) for revoked certificates, it fails to perform other checks to ensure that the certificate is valid. These checks include
Failure to perform these checks provides a limited opportunity to an attacker to spoof a trusted web site. That is, an intruder may be able to lure or coerce a victim to visit a malicious web site and convince the victim that he or she is communicating with a trusted web site that has been authenticated with strong cryptography.
This vulnerability is similar in scope and effect to the problems discussed in CA-2000-05, CA-2000-08, and CA-2000-10. The CERT/CC has not received any reports of incidents involving those vulnerabilities. However, the typically sensitive nature of SSL-secured transactions magnifies the risk presented by this vulnerability. Furthermore, SSL-secured transactions are often assumed to be extremely safe because of the high degree of confidence in the underlying cryptographic protocols. While this vulnerability does not in any way represent a problem in the security of the underlying cryptographic protocols, it does highlight the need to consider implementation security in addition to protocol and cryptographic security when evaluating the overall security of any software system.
Finally, we disagree somewhat with Microsoft's claim that "DNS poisoning attacks are fraught with problems for an attacker." In our experience, attacks against name servers are rather common. See for example CA-2001-02 and CA-2000-03.
Attackers may be able to mislead people into exposing confidential information that the victim intends to provide to a trusted site.
Apply a patch as described in MS-01-027.
Our thanks to Microsoft for the information contained in their advisory.
This document was written by Shawn V. Hernan.
|Date First Published:||2001-05-17|
|Date Last Updated:||2001-06-26 03:18 UTC|