Although Microsoft said it's too soon to judge the severity of the problem -- and even whether the flaw exists -- some programmers and consultants said it could threaten the security of everything from online banking to Web-based commerce.
The problem is "fairly serious," said Elias Levy, a member of software security company Symantec Corp.'s security response team. He said that the complexity involved makes the probability of widespread attacks unlikely.
Attackers taking advantage of the loophole could trick computer users into thinking they are visiting legitimate Web sites, and could convince them to divulge personal information.
Mike Benham, a San Francisco programmer who discovered the problem, posted his findings Aug. 5 on a popular security-alert Web site.
Benham said Internet Explorer versions 5.0, 5.5 and 6.0 have loopholes in handling Web sites' digital certificates, such as those from VeriSign, which verify Web sites as being legitimate and also include unique code for encrypting information.
Essentially, any Web site operator with a valid certificate could pretend to be any other Web site operator.
Theoretically, he said, attackers could successfully hijack computer users -- such as over a company's internal network -- as they went to banking or e-commerce Web sites and intercept their information. Or they could send hijacked users to dummy Web sites and get them to give personal information.
Other Web browsers, such as Netscape and Mozilla aren't vulnerable, Benham said.
Microsoft is still investigating and is unsure even whether to call the potential problem a vulnerability, said Scott Culp, manager of Microsoft's Security Response Center.
The possible flaw comes as Microsoft has launched a high-profile effort, called its Trustworthy Computing initiative, to resolve security concerns. But problems remain. The company has issued 41 security bulletins with patches so far this year.
Microsoft criticized Benham for not contacting Microsoft first when he discovered the problem, and instead posting it on the Internet. Benham said he did not directly notify Microsoft because he was frustrated by the company's response to other security researchers in the past.
Microsoft maintains it is difficult to wage an attack as Benham outlined, although Levy and another security expert, Bruce Schneier at Counterpane Internet Security, said it is possible.
"Investigating a security vulnerability sometimes takes a little bit longer than people may expect, because it's important that we be absolutely right about the answer we provide," Culp said, adding that Microsoft has not contacted Benham because they had sufficient information and doubted whether he was committed to helping solve the problem.
E-commerce companies have since contacted Microsoft about their concerns, Culp said.
VeriSign, one of the biggest providers of digital certificates, said it learned of the problem on Friday and contacted Microsoft, said Ben Golub, senior vice president of trust and payment services.
He said the two companies are working together to resolve the problem and that they don't know of any real cases yet where someone has successfully spoofed a Web site or gained information.
Copyright 2002. Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
