Microsoft has issued warnings to users of Internet Explorer regarding two newly discovered vulnerabilities. Both of these vulnerabilities enable attackers to hack trusted websites.
The first and maybe the worst of these vulnerabilities is Certificate Revocation List (CRL) checking. If CRL checking is enabled, hackers can disable the browser's ability to check whether the certificate has expired, that the name on the digital certificate matches the name on the server, and that the certificate issuer can be trusted i.e. it will appear as a trusted website.
The implications of this could mean that users might find it difficult to determine whether an ex-employee is still accessing restricted areas with a digital certificate which has been revoked.
The second vulnerability enables attackers to display a different URL within the address bar than the site the browser is actually in connection with. Microsoft says this spoof can even occur within valid Secure Sockets Layer sessions.
These vulnerabilities can lead users to believe they are using a trusted website and provide sensitive information.
If you are a user of Microsoft Explorer browsers you can read full details of these and any other reported vulnerabilities in Explorer and download patches to remedy the problems at Microsoft's website:
Once you reach the website, select Headlines from the left hand menu options. This will take you to the latest Microsoft news releases concerning Internet Explorer.
The next page will open into Microsoft TechNet website, the main heading there is Security, displayed under this heading you will see a subheading entitled Security Bulletin Search , which contains a list entitled (Microsoft Bulletins) MS01-25, 26 and 27, these are reports on the latest vulnerabilities found in Explorer.
To read more on each item click on required titled hyperlink, this will also lead you to downloadable patch fixes.
- MS01-25 - is information for system administrators using Microsoft® Index Server 2.0 in Windows NT® 4.0 or Indexing Service in Windows® 2000.
- MS01-26 - is information for System administrators using Microsoft® Internet Information Server 4.0 or Internet Information Services 5.0.
- MS01-27 - is for information for all users of Explorer 5.01 and 5.5.
Under the above subheadings and bulleted hyperlinks, you will notice a hyperlink entitled want to receive further security bulletins automatically?, where you can register with Microsoft for the latest information concerning security issues.
IT TrainingZONE
