SSL Certificate Security Flaw In Microsoft Internet Explorer

I first saw this in The Register, who attributes discovery of the flaw to Mike Benahm, but CNET has a clearer take:

The IE problem has been around for at least five years and could allow an attacker to intercept personal data when a person is making a purchase or providing information for e-commerce purposes, said Mike Benham, an independent security researcher based in San Francisco.

“If you ever typed in credit card information to an SSL site, there’s a chance that somebody intercepted it,” he said, referring to the Secure Socket Layer protocol for encryption and authentification.

IE fails to check the validity of digital certificates used to prove the identity of Web sites, allowing for an “undetected, man in the middle attack,” he said Monday.

Well, isn’t that just ducky. I’ve not yet seen much coverage of this, but the little I have seen makes me think this is far more serious in terms of the average user than it appears, given the increased popularity of online purchasing and bill paying.

Internet Explorer 1.5.3 for Mac OS X

Yes, it’s out, and yes I’ve downloaded it from Version Tracker (look to the left for the link) and installed it, which has served to remind me why I like Mozilla so much better.

Once I installed I.E. I discovered that it had, without my consent, changed my Internet Preferences, switching my Default Browser setting from Mozilla to I.E., and it also changed my Home page setting, from a custom page on my drive, to MSN. That’s rude, nasty and typical of Microsoft. It is not acceptable to change a user’s settings or preferences without asking first.