A rogue programmer recently announced the discovery of a serious new security flaw in Microsoft Internet Explorer (IE), Microsoft's popular Web-browser software, which could compromise the technology used to make secure online transactions. The vulnerability has been present in IE for up to 3 years, during which time users made millions of online transactions with the compromised technology. The bug is in IE's implementation of the Secure Sockets Layer (SSL) protocol for encryption and authentication and could let intruders launch "man-in-the-middle attacks" in which an intruder poses as the e-commerce site and obtains credit card information and other personal data.
"If you ever typed in credit card information to an SSL site there's a chance that somebody intercepted it," said Mike Benham, the programmer who discovered the flaw. However, no known attacks have yet occurred, and Microsoft has criticized Benham for irresponsibly issuing information about the flaw without contacting the company first. Benham said he was "frustrated" by Microsoft's response to other security flaws in the past, which is confusing because the company has responded quickly to such flaws all year.
Microsoft says that it's investigating the flaw, which affects IE 6.0, IE 5.5, and IE 5.0, and notes that several mitigating factors reduce users' risks, including the complexity of spoofing e-commerce sites. The company agrees that, if real, the flaw is potentially severe. IE users can expect to see a Critical Update for Windows Update and Auto Update if the flaw pans out.
