Microsoft indicates that it would be difficult to exploit the SSL vulnerability, but others in the security community are vigorously disputing this claim and point out that many readily available hacker tools could be used to manipulate browsers so they would expose data through this flaw. Macromedia doesn't list mitigating factors for any of its vulnerabilities. Fix
To fix the SSL problem, do not use IE for SSL transactions until it's secured with a patch. Microsoft hasn't indicated that the company feels this is a serious flaw, and there has been no report that they are working on a patch. Flash Macromedia urges users to download and install the latest version of the Flash Player (currently version 6.0.40.0) to block the serious malformed header attack vulnerability (MPSB-02-09). The XML vulnerability (MPSB-02-10) is also fixed in the newest versions of Flash Player, as is the persistent connection problem. This can get a bit confusing, so the best policy is simply to download the latest version of Flash Player rather than looking for a specific version as mentioned in different vulnerability listings. Final word
What's the absolute worst thing you can think of that you could discover about Internet Explorer? Would a vulnerability that would let sites easily hijack credit card information be pretty high on the list? How about if Microsoft knew about the vulnerability for five years or more and did nothing? The biggest stumbling block to getting people to make purchases on the Internet has always been a fear that thieves could get hold of their credit card information (even though the risk exists when presenting a credit card in a shop or restaurant, or giving the credit card information over the phone to a mail order company). We have all come to rely on SSL technology and to trust that the little padlock symbol on our browser was assurance that our information was protected. Indeed, most reported credit card data disclosures have come from people hacking servers, not hijacking information en route. But it turns out that this may be due more to luck than to good security. Microsoft is making little of the SSL vulnerability, saying that a hacker would have to go to the extraordinary effort of creating a Web page and then redirecting surfers to the site. This ignores the fact that such a ploy is easy to do and, in fact, happens all the time. The fact that Microsoft apparently knew about the ability to hijack SSL data for five years and did nothing about it is unacceptable. As for the Flash problems, the information that Flash 6 keeps links active after leaving a site certainly clears up some problems I have been experiencing with bandwidth hogging. Sometimes, I see a lot of continued data traffic even when all the browser windows I have open are static. Apparently, I've been seeing Flash traffic from sites I've left that have remained active in the background. For a corporate network, this could add up to a lot of unneeded bandwidth utilization.
Have your say instantly in the Tech Update forum.
Find out what's where in the new Tech Update with our Guided Tour.
Let the editors know what you think in the Mailroom.
