To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,11035427,00.htm

Windows flaw sparks credit card theft fears
Do you ever get a feeling of déjà vu...?

By Joe Wilcox

Published: Friday 06 September 2002

Microsoft yesterday admitted that a flaw in its Windows operating system could allow hackers to gain unauthorised access to thousands of computers.

Microsoft issued a security alert, calling the flaw "critical". The flaw affects how more than a dozen Microsoft products, including programs for Windows and the Mac, handle digital certificates, which are used to certify the authenticity of a website or of software code.

The flaw could let a website with a valid certificate issue a second, invalid one, which could enable unauthorised access to a computer as well as, among other things, the theft of user passwords or credit card numbers.

Gartner analyst John Pescatore, said: "You're on my site and I say, 'Click here to go to Amazon.com.' But I don't really take you to Amazon.com. I can pretend to be Amazon.com and get you to enter in your credit card number."

Experts were quick to point out that, so far, it is unlikely anyone has taken advantage of the flaw, but they also say that the implications of the flaw could be widespread, since it affects one of Windows' key security-authentication mechanisms, called CryptoAPI, which is also used by many non-Microsoft programs that run on Windows.

Analysts also warned that the problem, if exploited, could undermine consumers' confidence in conducting transactions over the web.

"They [Microsoft] have one little thing broken that affects so much of the security infrastructure. That's the bad news. The good news is probably no one has really exploited this over the years," said Richard Smith, an independent security analyst.

In the security bulletin, Microsoft warned that because of a flaw, CryptoAPI does not properly validate a certain portion of a digital certificate. The flaw affecting Mac products is unrelated to CryptoAPI, according to the security bulletin. Windows uses cryptography to authenticate the validity of websites and software components such as software drivers, and to keep intruders from gaining control of key subsystems.

"When we look at this particular issue, especially with the CryptoAPI, it shows these types of issues take thorough investigation," said Lynn Terwoerds, security program manager for Microsoft's Security Response Center. "We're in the situation where we've done our thorough investigation. People want to know if there is trust. Well, there is."

Microsoft strongly encouraged consumers and businesses to immediately install software patches, posted to the company's website, to correct the flaw. But the company has released patches for only four of the affected products: Windows NT 4, Windows NT 4 Terminal Server, Windows XP and Windows XP 64-bit Edition. Other vulnerable products include Windows 98, Windows 98 Second Edition, Windows Me and Windows 2000.

Six Microsoft Mac programs also are affected by the flaw: Office v. X, Office 2001, Office 98, Internet Explorer for Mac OS 8 and 9, Internet Explorer for Mac OS X and Outlook Express 5.05.

Patches are expected to be available soon for those products.

Joe Wilcox writes for News.com