Internet Explorer Allows Spoofing of Trusted Web Sites

Reported May 17, 2001, by Microsoft.


·         Microsoft Internet Explorer 5.01

·         Microsoft Internet Explorer 5.5


Two newly discovered vulnerabilities affect Microsoft Internet Explorer (IE) versions 5.01 and 5.5 that let an attacker spoof trusted Web sites. The first vulnerability involves how IE validates digital certificates sent from Web servers. When you enable Certificate Revocation List (CRL) certificate checking, IE might stop performing the following checks:

·         Verification that the certificate has not expired

·         Verification that the server name matches the name on the certificate

·         Verification that the certificate is from a trusted issuer


The second vulnerability can let a Web page display the URL from a different Web site in the IE address bar. This spoofing can also occur within a valid Secure Sockets Layer (SSL) session with the impersonated site. An attacker can use both vulnerabilities to convince a user that the attacker’s Web site is actually a different, trusted site.



The vendor, Microsoft, has acknowledged these vulnerabilities and recommends that users immediately apply the patch contained in Security Bulletin MS01-027. 


Discovered by Alp Sinan.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.