Internet Explorer Allows Spoofing of Trusted Web Sites

Reported May 17, 2001, byMicrosoft.

VERSIONS AFFECTED

·        Microsoft Internet Explorer 5.01

·        Microsoft Internet Explorer 5.5

DESCRIPTION
Twonewly discovered vulnerabilities affect Microsoft Internet Explorer (IE)versions 5.01 and 5.5 that let an attacker spoof trusted Web sites. The firstvulnerability involves how IE validates digital certificates sentfrom Web servers. When you enable CertificateRevocation List (CRL) certificate checking, IE might stop performing the following checks:

·        Verification that the certificate has not expired

·        Verification that the server name matches the name on thecertificate

·        Verification that the certificate is from a trusted issuer

The second vulnerability can let a Web page displaythe URL from a different Web site in the IE address bar. This spoofing can alsooccur within a valid Secure Sockets Layer (SSL) session with the impersonatedsite. An attacker can use both vulnerabilities to convince a user that theattacker’s Web site is actually a different, trusted site.

VENDOR RESPONSE

Thevendor, Microsoft, has acknowledgedthese vulnerabilities and recommends that users immediately apply the patchcontained in Security Bulletin MS01-027. 

CREDIT
Discoveredby Alp Sinan.