Responding to claims made earlier this week that Microsoft Internet Explorer (IE) contains a security flaw related to its implementation of Secure Sockets Layer (SSL) technology, the company says that the flaw is actually in Windows, not in IE. To address the problem, Microsoft is working on patches for Windows XP, Windows 2000, Windows NT 4.0, Windows Me, and Windows 98.
"This SSL flaw has been described as an \[IE\] problem but it is a Windows issue," said Scott Culp, who manages the Microsoft Security Response Center. "\[The flaw\] is in the \[cryptography\] of the \[OS\], so we have to patch the OS. It is an implementation problem in the way SSL certificates are processed, where information is not available in the certificate or it is available in two places and there is a conflict." Culp noted that IE relies on the cryptography code in Windows, which could explain why the security flaw was mistakenly attributed to IE.
Programmer Mike Benham first discovered the flaw last week, then posted information about it to a popular security forum without first notifying Microsoft. The company has asked security researchers and other people who find such vulnerabilities to contact the company first so that it can research and respond to security concerns before intruders can take advantage of such flaws.