[Am-info] IE Flaw Could Expose Credit Card Numbers

[Fred A. Miller]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.techtv.com/news/security/story/0,24195,3395766,00.html

Attackers could use vulnerability to gain access to buyer information.

By Dan Brekke, Tech Live

A San Francisco programmer has disclosed a potentially severe flaw in=20
how Microsoft's Internet Explorer browser implements a technology meant=20
to assure secure transactions over the Web.=20

Independent security researcher Mike Benham last week released details=20
of an IE vulnerability that allows forging of the certificates used to=20
assure that Web clients and servers are communicating using Secure=20
Socket Layer (SSL) encryption technology.=20

An attacker could obtain a valid SSL certificate from a trusted=20
certificate authority -- parties (such as VeriSign) that issue and=20
manage network security credentials. The reported weakness in Internet=20
Explorer in effect allows anyone to assume the role of an intermediate=20
certificate authority. In that role, an attacker could then create=20
valid-looking, but bogus, certificates for any other domain.=20

What damage could ensue?=20

One possibility: Attackers eavesdropping on Web connections to=20
e-commerce sites could capture buyer data such as credit-card numbers.=20

Security experts have termed the problem serious. Microsoft said Monday=20
it is still assessing the reported flaw.

- --=20
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org, www.cupserv.org
- --- SuSE Linux v8.0 Pro, KMail 3.0.1---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj1iWl4ACgkQB9vk4ichYXftFACgqEh41p68PV7I2vL1lGb6Wlv7
DKsAnjk+yUBcmfvzoIf/cUDQpZenQVvs
=3DH9Fk
-----END PGP SIGNATURE-----