back to article SSL spoof bug still haunts IE, Safari, Chrome

Nine weeks after a hacker demonstrated how to spoof authentication certificates for virtually any website on the internet, users of Internet Explorer and many other applications remain susceptible because Microsoft hasn't patched the underlying vulnerability. The bug, which resides in an application programming interface known …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Wouldn't expect anything less

    I mean, it's not like taking your computer into a repair shop for a memory expansion, which they can probably do on the spot for you.

    No matter what gets fixed, someone will break it, and is the real problem actually caused by Microsoft, is this a problem that has been created by them, or are you just expecting instant gratification, more to the point has it actually stopped the author of the article from surfing pron sites.

    You probably expect the banks to instantly rectify any mis-charge on your bank account, whilst dragging your own heels at repaying your overdraft.

  2. dave 46

    Understandable

    It may be easy to fix but Firefox only has one program to worry about breaking - Firefox.

    If MS go tinkering with the crypto API, and then (as you would) push it out through windows update, the damage could be epic.

    Think they should offer a hotfix for those willing to test and take the risk themselves though.

  3. Adam Connelly 1
    Coat

    \ and 0 characters?

    "The bug stems from code that causes browsers, email clients, and other SSL-enabled apps to ignore all characters following the \ and 0 characters, which are used to denote the end of a sequence of characters in C-based languages."

    Not to be pedantic, but \0 is an escape sequence in languages like C that actually becomes the NULL character (i.e. a single rather than two characters). Therefore, it should read:

    The bug stems from code that causes browsers, email clients, and other SSL-enabled apps to ignore all characters following the null character, which is used to denote the end of a sequence of characters in C-based languages.

  4. Robert Grant

    @Anonymous Coward first poster

    1) Learn to write sentences.

    2) Don't make up things and use them as criticisms of the author's personality.

    3) This is a critical bug that deeply affects business on the internet. It's worth getting right, but it needs to be got right fast. And if there's a choice, it's still better for it to be obviously broken than subtly broken.

  5. Anonymous Coward
    Anonymous Coward

    @Robert Grant

    1) YES SIR. Any other orders for me to follow.

    2) The criticism is pointed at what is in reality a pointless article, this isn't the only bug not fixed by MS, and hardly the most critical either, seeing as business on the net is still thriving.

    3) Well if you want it done fast, do it yourself, if you want it done right, let the professionals do it, at their own pace, and in their own fashion. Pushing the point won't get it done will it, and another pointless article won't either.

  6. g e

    Addendum to Robert Grant

    4) Banks charge you for that overdraft and make money from the interest and over-limit charges, they like you to be tardy clearing it off.

    5) Yes banks should rectify mischarges immediately

  7. MarkOne
    Stop

    Shouldn't the title read.

    Affects every browser, except Opera...

    Yet again, Operas security policies demonstrate it's the most secure (and most functional and fastest) browser out there.

  8. Cameron Colley

    @AC "...hardly the most critical..."?

    What? OK, I'll not argue over it being the number one most critical hole present at this moment in time but, for fuck's sake, this potentially means that customers of major banks are the victims of man in the middle attacks while using their online banking site -- meaning that they could loose money. How the hell is that not critical?

  9. Anonymous Coward
    Anonymous Coward

    @ g e 09.25

    g e, maybe you're either a banker or a night worker, enjoying an early morning tipple.

    From the banks perspective you may have a point, to the man on the street you're either pissed,or don't mind paying the exorbitant overdraft rates, either way, you're either desperate or a fool.

  10. Tom 7

    @ dave 46

    Yeh much better idea - don't fix all the things that use crypto API - wait till everyones bank account is empty.

    If MS software is in such a disorganised state that they cant fix and test something like this ( a buffer overflow!!) in a few days then they really shouldn't be in the software market.

  11. Anonymous Coward
    Anonymous Coward

    @ Cameron Colley

    Oh yeah, lets all panic right now, OMFG my bank accounts been emptied, to which the bank manager replies, yes along with everyone elses, in fact the whole world has been robbed blind because MS didn't fix the problem within 1/10th of a nano second.

    See that's the problem with broadband, instant gratification isn't quick enough now.

    Enough of the scare mongering, get a grip on reality.

  12. Grease Monkey Silver badge

    No Title

    This illustrates a problem with relying on the underlying OS.

    Chrome and Safari rely on the MS code to process the certificates. Firefox doesn't. Firefox can therefore find the fault it their code and fix it. Google and Apple have a choice; either wait for MS to issue a fix or write a whole new module from scratch and also rewrite some code in their browser to use this module rather than the MS module.

    Of course received wisdom is that you should use the routine that exists in the OS rather than reinventing the wheel and writing yout own code. So conventional programming wisdom would have it that Google and Apple have done the right thing and Mozilla the wrong thing. This situation shows that , from a pratical point of view, the conventional wisdom is incorrect.

    As has been pointed out MS have lots more testing to do, but still not months worth. So the fact that MS haven't patched the vulnerability yet is inecusable.

  13. Lu

    @ Shouldn't the title read. # By MarkOne

    Exactly what I was about to say!

  14. Ken Hagan Gold badge

    @Grease Monkey

    "Of course received wisdom is that you should use the routine that exists in the OS rather than reinventing the wheel and writing yout own code. So conventional programming wisdom would have it that Google and Apple have done the right thing and Mozilla the wrong thing."

    Up to a point. It is true that received wisdom is VERY unkind towards those who invent their own cryptographic wheels. However, Mozilla have a defence in being cross-platform. They can either use the facilities provided by each OS, or they can pick one implementation and bake that into their own code on all platforms. There are pros and cons on either side.

    "As has been pointed out MS have lots more testing to do, but still not months worth. So the fact that MS haven't patched the vulnerability yet is inecusable."

    They should not be doing *lots* of testing. As was pointed out at the time of the original disclosure, the spec actually says "counted string" and not "nul terminated string", so MS only need to test that their new code does that. They don't need to test for any wider fall-out, because conforming clients will not be affected by the fix and (as noted in a comment above) non-conforming clients *should* break loudly rather than quietly.

  15. Sam Liddicott

    @Ken Hagan

    Mozilla also have the defense of being first, and writing their code before Microsoft.

    The mozilla guys invented it.

  16. Anonymous Coward
    Anonymous Coward

    Opera

    Why do articles like this on The register never mention Opera? They focus on Firefos as though it's somehow uniquely secure, whereas in fact it's only marginally better than IE, behind Safari and Opera.

    But The Register loves plastering Opera's name in the title and throughout articles about the EU, or what people from IBM, Oracle and Mozilla are saying about Microsoft and the EU.

  17. Brett Leach

    Not sticking to API specs = self fornication.

    Yes I'm aware that M$ is notorious for undocumented features they use for their own benefit. However, anyone who relies upon such is asking for a severe rogering.

    Provided the specs for this particular module are well defined (Yeah, yeah, I know a big ask from M$) AND given the potential for disaster inherrent in delays, then M$ should issue a spec compliant fix ASAP and let the chips fall where they may.

    I would much, much rather my internet banking package failed to work altogether, than have a hole in it big enough for a Mack truck.

    The whole idea of encapsulation is to ensure that the behaviour of modules is well defined. Burrowing past the encapsulation to save a few bytes of code or cycles of CPU time is a recipe for disaster.

  18. Stuart 18
    Thumb Up

    @MarkOne

    Thank you, sir/ma'am/androgenous:-) It was my one and only reason for reading the comments just to see if Opera was secure too. I really wish that as serious tech authors the Registers writers & editors would look at their own browser logs and see how worthless it is exposing yet another hole in the soft underbelly of IE. I have little doubt that the dwindling percent they see for IE is probably people, like me, who've switched their browser to report as IE. Please, please, please focus more on other browsers, The article should be titled "SSL flaw affects Safari and Chrome; FF 'n' Opera fine; needya even ask about IE?"

    Stu-baby

    Opera we love you, Opera we do, Internet Explorer, we're laughing at you...

  19. pitagora

    i do not consider this a bug in M$'s code

    Traditionally the null character should terminate a string. Every programmer out there assumes this, if stated otherwise in the specifications. Even if you say that the null character will not terminate the string many will make the mistake to assume it does. This is how things should be in C. Changing the API to interpret a \0 as any other character is bound to break 99% of the applications out there. The fix should be in the browser that should invalidate such certificates not in the crypto functions that validate it. Those functions are general purpose! They were not specifically meant for ssl certificates! They are used for any kind of cryptographic features from hard disk encryption to ssh tunnels. Make that fix, and break everything else on the market. Somebody said he would be ok if he couldn't use his bank online for a few days rather then loosing some money to a phisher, but it would be you bank website only, but the whole bank, perhaps stock markets, secure servers, encrypted databases and so on. Do you realize what kind of a financial catastrophe would be if all systems relying on this API would break even if for a few days only?

  20. Steve 72

    First

    ...thing I do with these type articles is Ctrl-f for "Opera". sure they have exploits (generally quite quickly patched) but the thing is one of the most secure out there.

    Easily confirmed at secunia.com

  21. mark cox

    Actual timeline

    We actually had advance notice to be able to fix this issue so quickly after disclosure:

    http://www.awe.com/mark/blog/20091007.html

  22. Gordon.Young

    Seeking more info on MS CAPI bug

    I am in search of more information. I have read the Moxie Marlinspike article. I did see some of the other exploits demonstrated by SSL-Sniff first hand, but am yet to see where this exploit exists in the timeline of Windows + CAPI enabled applications, browsers, email, custom, etc.

    Has this vulerability been documented in Microsoft's crypto API? Has there been a test matrix of the various versions of windows, current offerings, and those still in the wild, paired with the posibilities of browser+OS pairings which demonstrate the the "C-String" flaw in Capi?

    Please someone educate me on documented cases of this exploit in windows CAPI + CAPI reliant applications (browsers, etc..). I didn't see it in the Moxie Article. I appologize If I simply missed it.

    Thank you in advance.

    Gordon~

  23. Anonymous Coward
    Thumb Up

    Opera probably unaffected

    I DON'T THINK this affects OPERA !

    As you can see here there's someone asking for help on how to use Microsoft Crypto API interface with Opera in a plugin.

    http://dev.opera.com/forums/topic/237435

    on Monday, 16. June 2008

    This shows that Opera doesn't use it by default, though a custom third party plugin canbe written and loaded in Opera which might use it. Opera is written in C++ and they don't use any opensource or anything else not written by them (as far as I know)

    QD

This topic is closed for new posts.

Other stories you might like