September 6, 2002 6:39 AM PDT
Credit card theft feared in Windows flaw
Microsoft issued a security alert, calling the flaw "critical." The flaw affects how more than a dozen Microsoft products, including programs for Windows and the Macintosh, handle digital certificates, which are used to certify the authenticity of a Web site or of software code.
The flaw could let a Web site with a valid certificate issue a second, invalid one, which could enable unauthorized access to a computer as well as, among other things, the theft of user passwords or credit card numbers.
"You're on my site and I say, 'Click here to go to Amazon.com.' But I don't really take you to Amazon.com. I can pretend to be Amazon.com and get you to enter in your credit card number," explained Gartner analyst John Pescatore.
Experts were quick to point out that, so far, it is unlikely anyone has taken advantage of the flaw, but they also say that the implications of the flaw could be widespread, since it affects one of Windows' key security-authentication mechanisms, called CryptoAPI, which is also used by many non-Microsoft programs that run on Windows. Analysts also warned that the problem, if exploited, could undermine consumers' confidence in conducting transactions over the Web.
"They (Microsoft) have one little thing broken that affects so much of the security infrastructure. That's the bad news. The good news is probably no one has really exploited this over the years," said Richard Smith, an independent security analyst.A chink in the digital armor
In the security bulletin, Microsoft warned that because of a flaw, CryptoAPI does not properly validate a certain portion of a digital certificate. The flaw affecting Macintosh products is unrelated to CryptoAPI, according to the security bulletin. Windows uses cryptography to authenticate the validity of Web sites and software components such as software drivers, and to keep intruders from gaining control of key subsystems.
"When we look at this particular issue, especially with the CryptoAPI, it shows these types of issues take thorough investigation," said Lynn Terwoerds, security program manager for Microsoft's Security Response Center. "We're in the situation where we've done our thorough investigation...People want to know if there is trust. Well, there is."
Microsoft strongly encouraged consumers and businesses to immediately install software patches, posted to the company's Web site, to correct the flaw. But Windows 2000, one of the most popular Microsoft operating systems among businesses, has yet to be patched.
Initially, the company made patches available for Windows NT 4, Windows NT 4 Terminal Server, Windows XP and Windows XP 64-bit Edition. Late Thursday, Microsoft also released patches for Windows 98, Windows 98 Second Edition and Windows Me.
Six Microsoft Macintosh programs also are affected by the flaw: Office v. X, Office 2001, Office 98, Internet Explorer for Mac OS 8 and 9, Internet Explorer for Mac OS X and Outlook Express 5.05. Patches are expected to be available soon for those products.
Microsoft deemed the problem critical for the affected Windows products but moderate for the Macintosh applications. The Redmond, Wash.-based company also noted that some older versions of the programs could be vulnerable to attack. Since Microsoft no longer supports the programs, no patches will be released for them.
Microsoft could not say when the other patches would be made available. "We are working round the clock right now," Terwoerds said. "As soon as they're available, we'll release them."
The problem potentially affects many other programs that might rely on Windows cryptography features.
CryptoAPI is "part of the base operating system, so the problem will affect a lot of different products. We don't know, for example, what non-Microsoft products people have to be concerned about here," said Smith.
Last month, Microsoft issued a warning about a separate flaw that also affects digital certificates. That flaw doesn't allow a hacker to steal the certificates, but it does let the attacker corrupt the data, rendering it useless to the PC's owner.
Avenues of attack
Unpatched computers, particularly those running Windows, are vulnerable to a variety of avenues of attack, Microsoft warned.
Because of the vulnerability, CryptoAPI might not recognize that a second digital certificate is bogus and would therefore fail to warn PC user. The issuer could then use that unauthorized certificate to redirect that person to a second Web site for conducting an online transaction using Secure Socket Layer.
SSL, an encryption technology widely used in online transactions, lets Web servers scramble credit card numbers and other information so they can't be seen by prying eyes. In this instance, a person might start a legitimate transaction at one Web site, then be unknowingly redirected to a second, bogus site, analysts said.
Security analyst Smith said the problem could become significant, since so many computers use software containing the flaw. "It's much more widespread than people originally thought," he said. "And, because this has to do with CryptoAPI, the problem may have existed for five years."
Gartner's Pescatore emphasized that although no one has yet to really exploit the vulnerability, it does not negate the flaw's significance. Consumers have grown comfortable with the secure key symbol in a browser, which indicates that it's safe to conduct a transaction.
"They believe Secure Socket Layer is running and it's safe to enter in their password, safe to enter in their credit card information," Pescatore said. "If this flaw were exploited, people could all of a sudden say, 'Wait a minute, it's not safe to put my credit card into Amazon.com or do trades on E*Trade, because how do I ever know I'm talking to E*Trade?'"
Microsoft also is concerned about the vulnerability's potential impact on trusted online transactions. "That's why we're taking aggressive measures to let people know about this," Terwoerds said.
In another potential exploit, a rogue Web site could trash a computer's root digital certificate issued by third-party authenticator VeriSign. With that mechanism broken, the person would no longer be able to conduct transactions over the Web. The hacker could then send an e-mail that says, "The certificate is no longer working. Click here to install a new one."
Pescatore said with that capability, if he had malicious intent, "I could go to VeriSign, get a certificate for Pescatore.com and trick you into thinking it was Amazon.com."
Pescatore's example points to yet another possible abuse identified by Microsoft: sending, via e-mail, a seemingly valid digital certificate that's actually signed by someone else.A hacking two-step
Still, analysts noted that the vulnerability would generally require some kind of two-step process for hackers to fully take advantage of it. But they could rely on habits ingrained in consumers who do business over the Web--ingrained by Microsoft itself in some instances--to help them succeed.
"More and more consumers are using Windows Update and automatically updating their Microsoft software," Pescatore said. "They're getting trained to respond to 'You need to update, so click here.' These vulnerabilities exploit this behavior."
Terwoerds, who emphasized she was not trying to downplay the security flaw, agreed with the assessment by analysts that a multistep process would be required to make the exploit work.
"Are users going to be able to go to all these bogus Web sites and give out credit card information?" she asked. "Is it possible? Yes. Is each a likely scenario? No."
Wednesday's security warning comes after a long list of recent alerts. Attacks this week against Windows 2000 Server have stumped Microsoft, for example. In August alone, Microsoft issued eight security alerts. It's issued two so far in September.
Microsoft has been issuing security alerts on a fairly frequent basis since January, when company Chairman Bill Gates made security a top priority for the company. The company will likely issue even more security bulletins as the year progresses, say analysts.
"They started out with the server products and then moved on to the server applications," Pescatore said. "They've now moved on to the desktop OS and things like (Internet) Explorer. They're shaking out the laundry and all these bugs are flying out...that haven't been looked at. There's more to come."