August 13, 2002 Security Advisory

Reported yesterday, a severe flaw in Microsoft's Internet Explorer browser could enable
a malicious Web site operator to hijack user sessions and steal session data
such as their credit card numbers and other sensitive data sent over a "secure" SSL session.
The flaw lies in the way that IE validates digital certificates issued to Web
sites that offer SSL (Secure Socket Layer)-enabled connections. Such certificates 
are typically issued and signed by CAs (certificate authorities) such as VeriSign Inc. 
and list the URL of the Web site to which they are issued. When a user connects via 
the SSL protocol to a Web site, the user's browser checks the certificate to ensure 
that the domain listed on it matches the ones to which the browser is connected. 
However, CAs often farm out the job of issuing certificates. So a user might get 
a VeriSign certificate that has been signed by an intermediate authority. In such 
a case, a user's browser should check all of the same parameters on the intermediate 
certificate as well. But, IE does not check the domain on the intermediate certificate 
against the URL.

This means that anyone with a valid certificate can exploit this vulnerability by creating
what is called a "man-in-the-middle " attack during which a malicious website operator could 
generate and sign a fake certificate for other companies (banks, amazon, e-bay, etc.).

Microsoft is looking into the flaw but has not yet posted a fix.
I will send out an advisory when the fix is available.

* To ensure your privacy, your address is not visible to the recipients of this
message. 
* If you would like to be removed from this list, please reply to this email
* with "remove" in the body of the email. 

Scan your computer for viruses every week and don't forget to back up your files! 

Fredo
http://www.workingarts.com/infosecarchives