Web browsing just got a lot more dangerous with the discovery of several new software flaws.
Internet Explorer, which accounts for greater than 80 percent of all Web browsers, has been found to have a problem in the way that it verifies URLs after initially receiving a valid digital certificate. This can allow any site with such a certificate to hijack information intended for any other secure site.
And Macromedia Flash has two new vulnerabilities, the worst of which can allow attackers to run arbitrary code on computers with the Flash player installed. Macromedia says that includes virtually every computer with a browser.
It has been discovered that once a certificate is passed by IE, a second certificate will be accepted that allows someone to hijack the ongoing transaction as long as the second certificate is also valid. But—and here’s the important part—the second certificate doesn’t have to be related in any way to the first one. It merely has to be valid in its own right. So anyone with a valid digital certificate could hijack a commerce session from other sites and steal confidential data.
Thus, it now appears that no SSL transaction using IE can be treated as secure. The problem is found in several browsers but not, apparently, in Netscape Navigator, although this isn’t entirely clear yet.
An article in The Register reported that Mozilla 0.9.4 is not vulnerable, possibly because it has so many other bugs (according to editorial comment by The Register), but Konqueror 3.0 (KDE 3.0.2 on SuSE 8.0) is seriously vulnerable to this flaw.
Some recently disclosed vulnerabilities in OpenSSL are also detailed in the CERT Advisory CA-2002-23, but none of them is as dangerous as this flaw in IE. The OpenSSL flaws involve only a denial of service event, which is worrying, but obviously a lesser concern than compromising secure data.
My June 10, 2002, column covered a number of Flash vulnerabilities, but they're unrelated to the new problems that have been discovered.
The first new vulnerability could allow an attacker to run arbitrary code on your computer. This attack is based on a malformed SWF (Flash movie) header vulnerability designated as MPSB02-09 by Macromedia.
The second problem, discovered by eEye Digital Security and designated MPSB02-10, can be used to modify a URL and hence read, modify, or delete local files. The same vulnerability existed in both Internet Explorer and Netscape Navigator, but they were patched in the early spring. Internet Explorer for the Macintosh still has this vulnerability.
Yet another Flash problem was first made public in April but just made the CERT vulnerability listing in August. This fault is not a security threat as such, but it does consume bandwidth and slow operations. In addition, a specific attack isn’t required; this DoS event is a normal process for Flash 6. It seems that when a Flash animation fires up as you visit a site, it continues even after you leave the site. In fact, data may continue to be transferred until you close the browser. This is fixed in Flash Player versions newer than 18.104.22.168.
The SSL flaw apparently involves all versions of Internet Explorer going back at least five years, including IE 5, IE 5.5, and, in some circumstances IE 6, along with some other programs that are still being evaluated.
Flash Player versions prior to 22.214.171.124 have a buffer overflow vulnerability (MPSB02-09) due to the way they treat malformed headers. This can enable a malicious attacker to run arbitrary code on a system. The vulnerability relates only to Flash files that contain some custom coding. Macromedia reports that its development software will not produce files with this exploit.
The company also says that the Flash Player versions affected by MPSB02-10 include all versions earlier than version 126.96.36.199, which fixes the problem.
The SSL problem is a lethal vulnerability that essentially means any SSL transaction ever made through IE 5 or later may have been compromised.
Flash Buffer Overflow—serious
The Flash overflow vulnerability (MPSB02-09) is especially dangerous because it is not browser- or operating system-dependent and therefore affects any user whether they are using Internet Explorer, Netscape Navigator, Windows, Linux, or UNIX. Also, firewalls are normally configured to allow Web browser use, including the ability to pass Flash files, so there is no protection provided by following good security practices. In fact, this attack doesn’t even require the use of a browser, just an application that will play an SWF file, which can include instant messaging and e-mail.
Flash URL Modification (XML)—serious
The other new Flash vulnerability (MPSB02-10) exists in the XML implementation in Flash Player and can trick a browser to disclose files on the local hard drive.
Microsoft indicates that it would be difficult to exploit the SSL vulnerability, but others in the security community are vigorously disputing this claim and point out that many readily available hacker tools could be used to manipulate browsers so they would expose data through this flaw.
Macromedia doesn’t list mitigating factors for any of its vulnerabilities.
To fix the SSL problem, do not use IE for SSL transactions until it’s secured with a patch. Microsoft hasn’t indicated that the company feels this is a serious flaw, and there has been no report that they are working on a patch.
Flash Macromedia urges users to download and install the latest version of the Flash Player (currently version 188.8.131.52) to block the serious malformed header attack vulnerability (MPSB-02-09).
The XML vulnerability (MPSB-02-10) is also fixed in the newest versions of Flash Player, as is the persistent connection problem.
This can get a bit confusing, so the best policy is simply to download the latest version of Flash Player rather than looking for a specific version as mentioned in different vulnerability listings.
What’s the absolute worst thing you can think of that you could discover about Internet Explorer? Would a vulnerability that would let sites easily hijack credit card information be pretty high on the list? How about if Microsoft knew about the vulnerability for five years or more and did nothing?
The biggest stumbling block to getting people to make purchases on the Internet has always been a fear that thieves could get hold of their credit card information (even though the risk exists when presenting a credit card to a clerk or giving the credit card information over the phone to a mail order company).
We have all come to rely on SSL technology and to trust that the little padlock symbol on our browser was assurance that our information was protected. Indeed, most reported credit card data disclosures have come from people hacking servers, not hijacking information en route. But it turns out that this may be due more to luck than to good security.
Microsoft is making little of the SSL vulnerability, saying that a hacker would have to go to the extraordinary effort of creating a Web page and then redirecting surfers to the site. This ignores the fact that such a ploy is easy to do and, in fact, happens all the time. The fact that Microsoft apparently knew about the ability to hijack SSL data for five years and did nothing about it is unacceptable.
As for the Flash problems, the information that Flash 6 keeps links active after leaving a site certainly clears up some problems I have been experiencing with bandwidth hogging. Sometimes, I see a lot of continued data traffic even when all the browser windows I have open are static. Apparently, I've been seeing Flash traffic from sites I've left that have remained active in the background. For a corporate network, this could add up to a lot of unneeded bandwidth utilization.