Spyware Doctor
Spyware Doctor with AntiVirus
PC Tools AntiVirus
PC Tools Internet Security
PC Tools Firewall Plus
ThreatFire
Spam Monitor
Registry Mechanic
Desktop Maestro
File Recover
Privacy Guardian
Spyware Doctor Enterprise
Help me choose
SSL Certificate Validation Vulnerabilities
Two security vulnerabilities exist in Microsoft® Internet Explorer that involve how IE handles digital certificates; under a very daunting set of circumstances, they could allow a malicious web site operator to pose as a trusted web site.
Issue
Two vulnerabilities have been identified in the way IE handles digital certificates:
- When a connection to a secure server is made via either an image or a frame, IE only verifies that the server's SSL certificate was issued by a trusted root - it does not verify the server name or the expiration date. When a connection is made via any other means, all expected validation is performed.
- Even if the initial validation is made correctly, IE does not re-validate the certificate if a new SSL session is established with the same server during the same IE session.
The circumstances under which these vulnerabilities could be exploited are fairly restricted. In both cases, it is likely that the attacker would need to either carry out DNS cache poisoning or physically replace the server in order to successfully carry out an attack via this vulnerability. The timing would be especially crucial in the second case, as the malicious user would need to poison the cache or replace the machine during the interregnum between the two SSL sessions.
Affected Products
- Microsoft Internet Explorer 4.x & 5.x
Download
Patch: http://www.microsoft.com/windows/ie/download/critical/patch11.htm
Further Details
Source: Microsoft Corporation
Reference: Microsoft Corporation
Updated: August 9, 2000
>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<
