Credit card theft feared in Windows flaw

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-956729.html?tag=fd_top

By Joe Wilcox 
Staff Writer, CNET News.com
September 5, 2002, 11:34 AM PT

[update] Microsoft late Wednesday said that a flaw in its Windows
operating system could allow hackers to gain unauthorized access to
thousands of computers.

Microsoft issued a security alert, calling the flaw "critical." The
flaw affects how more than a dozen Microsoft products, including
programs for Windows and the Macintosh, handle digital certificates,
which are used to certify the authenticity of a Web site or of
software code.

The flaw could let a Web site with a valid certificate issue a second,
invalid one, which could enable unauthorized access to a computer as
well as, among other things, the theft of user passwords or credit
card numbers.

"You're on my site and I say, 'Click here to go to Amazon.com.' But I
don't really take you to Amazon.com. I can pretend to be Amazon.com
and get you to enter in your credit card number," explained Gartner
analyst John Pescatore.

Experts were quick to point out that, so far, it is unlikely anyone
has taken advantage of the flaw, but they also say that the
implications of the flaw could be widespread, since it affects one of
Windows' key security-authentication mechanisms, called CryptoAPI,
which is also used by many non-Microsoft programs that run on Windows.  
Analysts also warned that the problem, if exploited, could undermine
consumers' confidence in conducting transactions over the Web.

"They (Microsoft) have one little thing broken that affects so much of
the security infrastructure. That's the bad news. The good news is
probably no one has really exploited this over the years," said
Richard Smith, an independent security analyst.

A chink in the digital armor

In the security bulletin, Microsoft warned that because of a flaw,
CryptoAPI does not properly validate a certain portion of a digital
certificate. The flaw affecting Macintosh products is unrelated to
CryptoAPI, according to the security bulletin. Windows uses
cryptography to authenticate the validity of Web sites and software
components such as software drivers, and to keep intruders from
gaining control of key subsystems.

"When we look at this particular issue, especially with the CryptoAPI,
it shows these types of issues take thorough investigation," said Lynn
Terwoerds, security program manager for Microsoft's Security Response
Center. "We're in the situation where we've done our thorough
investigation...People want to know if there is trust. Well, there
is."

Microsoft strongly encouraged consumers and businesses to immediately
install software patches, posted to the company's Web site, to correct
the flaw. But the company has released patches for only four of the
affected products: Windows NT 4, Windows NT 4 Terminal Server, Windows
XP and Windows XP 64-bit Edition. Other vulnerable products include
Windows 98, Windows 98 Second Edition, Windows Me and Windows 2000.

Six Microsoft Macintosh programs also are affected by the flaw: Office
v. X, Office 2001, Office 98, Internet Explorer for Mac OS 8 and 9,
Internet Explorer for Mac OS X and Outlook Express 5.05. Patches are
expected to be available soon for those products.

Microsoft deemed the problem critical for the affected Windows
products but moderate for the Macintosh applications. The Redmond,
Wash.-based company also noted that some older versions of the
programs could be vulnerable to attack. Since Microsoft no longer
supports the programs, no patches will be released for them.

Microsoft could not say when the other patches would be made
available. "We are working round the clock right now," Terwoerds said.  
"As soon as they're available, we'll release them."

The problem potentially affects many other programs that might rely on
Windows cryptography features.

CryptoAPI is "part of the base operating system, so the problem will
affect a lot of different products. We don't know, for example, what
non-Microsoft products people have to be concerned about here," said
Smith.

Last month, Microsoft issued a warning about a separate flaw that also
affects digital certificates. That flaw doesn't allow a hacker to
steal the certificates, but it does let the attacker corrupt the data,
rendering it useless to the PC's owner.

Avenues of attack

Unpatched computers, particularly those running Windows, are
vulnerable to a variety of avenues of attack, Microsoft warned.

Because of the vulnerability, CryptoAPI might not recognize that a
second digital certificate is bogus and would therefore fail to warn
PC user. The issuer could then use that unauthorized certificate to
redirect that person to a second Web site for conducting an online
transaction using Secure Socket Layer.

SSL, an encryption technology widely used in online transactions, lets
Web servers scramble credit card numbers and other information so they
can't be seen by prying eyes. In this instance, a person might start a
legitimate transaction at one Web site, then be unknowingly redirected
to a second, bogus site, analysts said.

Security analyst Smith said the problem could become significant,
since so many computers use software containing the flaw. "It's much
more widespread than people originally thought," he said. "And,
because this has to do with CryptoAPI, the problem may have existed
for five years."

Gartner's Pescatore emphasized that although no one has yet to really
exploit the vulnerability, it does not negate the flaw's significance.  
Consumers have grown comfortable with the secure key symbol in a
browser, which indicates that it's safe to conduct a transaction.

"They believe Secure Socket Layer is running and it's safe to enter in
their password, safe to enter in their credit card information,"  
Pescatore said. "If this flaw were exploited, people could all of a
sudden say, 'Wait a minute, it's not safe to put my credit card into
Amazon.com or do trades on E*Trade, because how do I ever know I'm
talking to E*Trade?'"

Microsoft also is concerned about the vulnerability's potential impact
on trusted online transactions. "That's why we're taking aggressive
measures to let people know about this," Terwoerds said.

In another potential exploit, a rogue Web site could trash a
computer's root digital certificate issued by third-party
authenticator VeriSign. With that mechanism broken, the person would
no longer be able to conduct transactions over the Web. The hacker
could then send an e-mail that says, "The certificate is no longer
working. Click here to install a new one."

Pescatore said with that capability, if he had malicious intent, "I
could go to VeriSign, get a certificate for Pescatore.com and trick
you into thinking it was Amazon.com."

Pescatore's example points to yet another possible abuse identified by
Microsoft: sending, via e-mail, a seemingly valid digital certificate
that's actually signed by someone else.

A hacking two-step

Still, analysts noted that the vulnerability would generally require
some kind of two-step process for hackers to fully take advantage of
it. But they could rely on habits ingrained in consumers who do
business over the Web--ingrained by Microsoft itself in some
instances--to help them succeed.

"More and more consumers are using Windows Update and automatically
updating their Microsoft software," Pescatore said. "They're getting
trained to respond to 'You need to update, so click here.' These
vulnerabilities exploit this behavior."

Terwoerds, who emphasized she was not trying to downplay the security
flaw, agreed with the assessment by analysts that a multistep process
would be required to make the exploit work.

"Are users going to be able to go to all these bogus Web sites and
give out credit card information?" she asked. "Is it possible? Yes. Is
each a likely scenario? No."

Wednesday's security warning comes after a long list of recent alerts.  
Attacks this week against Windows 2000 Server have stumped Microsoft,
for example. In August alone, Microsoft issued eight security alerts.  
It's issued two so far in September.

Microsoft has been issuing security alerts on a fairly frequent basis
since January, when company Chairman Bill Gates made security a top
priority for the company. The company will likely issue even more
security bulletins as the year progresses, say analysts.

"They started out with the server products and then moved on to the
server applications," Pescatore said. "They've now moved on to the
desktop OS and things like (Internet) Explorer. They're shaking out
the laundry and all these bugs are flying out...that haven't been
looked at. There's more to come."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.