The Net's Best Services, Programs, Software, and More!
Internet Security


Credit Card Theft Feared

Microsoft recently said that a flaw in its Windows operating system could allow hackers to gain unauthorized access to thousands of computers.

Microsoft issued a security alert, calling the flaw "critical." The flaw affects at least a dozen Microsoft products, including programs for Windows and the Macintosh... the handling of digital certificates, which are used to certify the authenticity of a Web site or of software code.

The flaw could let Web sites with valid certificates issue a second, invalid one, which could enable unauthorized access to a computer as well as, among other things, theft of user passwords or credit card numbers.

If you are on a site, they could say, 'Click here to go to eBay' But they don't really take you to eBay. This 'false' site could pretend to be eBay and get you to enter in your credit card numbers.

Experts quickly pointed out that, so far, it is unlikely anyone has taken advantage of the flaw, but they also say that the implications of the flaw could be widespread, since it affects one of Windows' key security-authentication mechanisms, called CryptoAPI, which is also used by many non-Microsoft programs that run on Windows. Analysts also warned that the problem, if exploited, could undermine consumers' confidence in conducting transactions over the Web.

They (Microsoft) had one little thing broken that affects so much of the security infrastructure. That's the bad news. The good news is probably no one has really exploited this security risk over the years.

The Chink in Digital Armor

Microsoft warned that because of a flaw, CryptoAPI does not properly validate a certain portion of a digital certificate. The flaw affecting Macintosh products is unrelated to CryptoAPI, according to the security bulletin. Windows uses cryptography to authenticate the validity of Web sites and software components such as software drivers, and to keep intruders from gaining control of key subsystems.

When looking at this particular issue, especially with the CryptoAPI, it shows these types of issues take thorough investigation. The situation has now received thorough investigation, and trust should can given once again.

Microsoft strongly encouraged consumers and businesses to immediately install software patches, posted to the company's Web site, to correct the flaw. The company has released patches for only four of the affected products, however:(that we know of) Windows NT 4, Windows NT 4 Terminal Server, Windows XP and Windows XP 64-bit Edition. Other vulnerable products include Windows 98, Windows 98 Second Edition, Windows Me and Windows 2000.

Six Microsoft Macintosh programs also are affected by the flaw: Office v. X, Office 2001, Office 98, Internet Explorer for Mac OS 8 and 9, Internet Explorer for Mac OS X and Outlook Express 5.05. Patches are expected to be available soon for those products.

Microsoft deemed the problem critical for the affected Windows products but moderate for the Macintosh applications. The Redmond, Wash.-based company also noted that some older versions of the programs could be vulnerable to attack. Since Microsoft no longer supports the programs, no patches will be released for them.

The problem potentially affects many other programs that might rely on Windows cryptography features.

CryptoAPI is part of the base operating system, so the problem will affect a lot of different products. It is not known, for example, what non-Microsoft products people may have to be concerned about.

Microsoft did issue a warning about a separate flaw that also affects digital certificates. That flaw doesn't allow a hacker to steal the certificates, but it does let the attacker corrupt the data, rendering it useless to the PC's owner.

Avenue of attack

Unpatched computers, particularly those running Windows, are vulnerable to a variety of avenues of attack. Because of the vulnerability, CryptoAPI might not recognize that a second digital certificate is bogus and would therefore fail to warn PC user. The issuer could then use that unauthorized certificate to redirect that person to a second Web site for conducting an online transaction using Secure Socket Layer. SSL, an encryption technology widely used in online transactions, lets Web servers scramble credit card numbers and other information so they can't be seen by prying eyes. In this instance, a person might start a legitimate transaction at one Web site, then be unknowingly redirected to a second, bogus site, analysts said.

Security analysts say the problem could become significant, since so many computers use software containing the flaw. It is much more widespread than people think. Because this has to do with CryptoAPI, the problem may have existed for about five years.

People may have believed Secure Socket Layers were running and it's safe to enter in their password, safe to enter in their credit card information.

In another potential exploit, a rogue Web site could trash a computer's root digital certificate issued by third-party authenticator like VeriSign. With that mechanism broken, the person would no longer be able to conduct transactions over the Web. The hacker could then send an e-mail that said the certificate is no longer working. "Click here to install a new one."

Someone could go to VeriSign, get a certificate, and trick you into thinking it was eBay.

You will find much more on this topic at WorldsLargestNetwork.com

  Home
  Partners
  $100000 Club
  Is Free.. Free?
  Free Games
  Custom Software
  Website Hosting

WorldsLargestNetwork.com








Is Free really Free?








Spyware Scanner will Scan Your PC for Malicious Spyware or Adware Free!

Home | Partner with the Best
Worlds Largest Network

Active © WorldsLargestNetwork.com; All Rights Reserved