The Computer Emergency Response Team (CERT) Coordination Centre at Carnegie Mellon University in Pittsburgh on Tuesday issued a warning that newly found flaws in Internet Explorer could allow an attacker to trick users into disclosing information, such as credit-card numbers and personal data, intended for legitimate websites.
Internet Explorer (IE), Netscape Navigator and other browsers indicate when a Secure Socket Layer (SSL) encrypted transaction has been established, but the software doesn't indicate to whom the connection has been made. The flaws involve the way IE validates digital certificates through SSL.
Microsoft, which issued its own bulletin earlier, said there are two vulnerabilities.
IE sometimes verifies only that the server's SSL certificate was issued by a trusted root, but the certificate's server name and expiration date are not verified.
Even if the initial validation is made correctly, IE doesn't revalidate the certificate if a new SSL session is established with the same server during the same browser session.
Microsoft identified IE 4.0, 4.01, 5 and 5.01 as the versions that contain these flaws. It said the chances of these vunerabilities occurring are "fairly restricted" because an attacker would need to inflict a domain name system (DNS) "poisoning" -- redirecting a domain name to another server -- or physically replace a server to carry out these attacks.
The company also issued a patch for these versions of IE. Microsoft didn't return calls for additional comments by press time.
In CERT's advisory, the organisation advised users that, in addition to staying up-to-date on browser patches, they should check SSL connections before transmitting sensitive data. "DNS information is fundamentally insecure, and there are a variety of means by which an attacker can provide false or misleading DNS information," according to the advisory.
Users can look at certificate details within a browser after an SSL connection is established, and check that the certificate name belongs to the site to which they think they're sending data.