Reported October 12, 2000 by Microsoft

VERSIONS AFFECTED
  • Internet Explorer 4.x and 5.x excluding 5.5

DESCRIPTION

Microsoft has released a security bulletin and patches to address an issue with Internet Explorer versions 4.x and 5.x excluding 5.5 that allows a malicious user to obtain user-ids and passwords to websites.

DEMONSTRATION

A user can be tricked into sending authentication data to the wrong server and this data can easily be captured by network sniffing.  This is also effective if SSL is in use.

VENDOR RESPONSE

Microsoft has released a security bulletin, MS00-0076 and patch that is available at; http://www.microsoft.com/windows/ie/download/critical/q273868.htm

CREDIT
Discovered by
ACROS Security