Reported May 17, 2001, by Microsoft.

VERSIONS AFFECTED

·         Microsoft Internet Explorer 5.01

·         Microsoft Internet Explorer 5.5

 

DESCRIPTION
Two newly discovered vulnerabilities affect Microsoft Internet Explorer (IE) versions 5.01 and 5.5 that let an attacker spoof trusted Web sites. The first vulnerability involves how IE validates digital certificates sent from Web servers. When you enable Certificate Revocation List (CRL) certificate checking, IE might stop performing the following checks:

·         Verification that the certificate has not expired

·         Verification that the server name matches the name on the certificate

·         Verification that the certificate is from a trusted issuer

 

The second vulnerability can let a Web page display the URL from a different Web site in the IE address bar. This spoofing can also occur within a valid Secure Sockets Layer (SSL) session with the impersonated site. An attacker can use both vulnerabilities to convince a user that the attacker’s Web site is actually a different, trusted site.

 

VENDOR RESPONSE

The vendor, Microsoft, has acknowledged these vulnerabilities and recommends that users immediately apply the patch contained in Security Bulletin MS01-027. 

 

CREDIT
Discovered by Alp Sinan.