COMMAND
IE
SYSTEMS AFFECTED
IE
PROBLEM
Following is based on a Microsoft Security Bulletin MS01-027.
A patch is available to eliminate two newly discovered
vulnerabilities affecting Internet Explorer, both of which could
enable an attacker to spoof trusted web sites. The first
vulnerability involves how digital certificates from web servers
are validated. When CRL checking for such certificates is
enabled, it could be possible for any or all of the following
checks to no longer be performed:
- Verification that the certificate has not expired
- Verification that the server name matches the name on the
certificate
- Verification that the issuer of the certificate is trusted
The vulnerability only affects how certificates from web servers
are validated. It does not affect how code-signing certificates
or any other type of certificate are validated.
The specific checks that might be bypassed vary with both the user
and the actions she may have taken during the current browsing
session. An attacker could not predict with any degree of
certainty which checks might be bypassed in a particular case.
The vulnerability does not provide any way to force users to the
attacker's web site. It is likely that this vulnerability could
only be exploited in conjunction with a successful DNS poisoning
or similar attack.
The second vulnerability could enable a web page to display the
URL from a different web site in the IE address bar. This
spoofing could occur within a valid SSL session with the
impersonated site. Both vulnerabilities could be used to
convince a user that the attacker's web site was actually a
different one - one that the user presumably trusts and would
provide sensitive information to. However, as discussed in the
Mitigating Factors section below, there would be significant
hurdles to exploiting either vulnerability.
Like the vulnerability above, this vulnerability would not provide
any way to force users to the attacker's web site, and DNS
poisoning or other measures would likely be required to exploit
it.
Any hyperlinks within the page would correctly show the target.
As a result, the attacker would need to point these to bona fide
locations on the spoofed web site, with the result that the
attacker would likely only be able to spoof a single web page,
rather than an entire site.
In addition to eliminating the two new vulnerabilities, the patch
also eliminates two new variants of a previously discussed
vulnerability, the "Frame Domain Verification" vulnerability,
which originally was discussed in Microsoft Security Bulletin
MS00-033. Like the original version, these new variants
vulnerability could enable a malicious web site operator to open
two browser windows, one in the web site's domain and the other
on the user's local file system, and to pass information from the
latter to the former. This could enable the web site operator to
read any file on the user's local computer that could be opened
in a browser window.
The patch also incorporates the functionality of the patch
provided in Microsoft Security Bulletin MS01-020.
SOLUTION
A patch is available to fix this vulnerability. Please read the
Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/ms01-027.asp
for information on obtaining this patch.