Microsoft Corp. is investigating claims that its popular Internet Explorer software has a loophole that lets attackers pose as legitimate web site operators, potentially giving them access to school computer users’ names, passwords, and credit card numbers.

Although Microsoft said it’s too soon to judge the severity of the problem—or even whether the flaw exists—some programmers and ed-tech experts said it could threaten the security of everything from online banking to web-based commerce.

The issue becomes increasingly critical for schools as information technology (IT) directors and business officials implement policies that allow educators to place expensive orders for everything from food to new computers online.

“If indeed [the loophole] is real, the potential security flaw in Internet Explorer could be a significant worry for schools,” said Bob Moore executive director of IT services for the Blue Valley School District in Kansas. “Many schools are just getting started with eCommerce applications, and this kind of problem could make schools more wary than ever.”

Software experts agree. The problem is “fairly serious,” said Elias Levy, a member of software security company Symantec Corp.’s security response team, though he added that the complexity involved makes the probability of widespread attacks unlikely.

Attackers taking advantage of the loophole could trick computer users into thinking they are visiting legitimate web sites and could convince them to divulge personal information.

Catherine Brooker, a spokeswoman for Microsoft, said the company investigates all potential security risks thoroughly, and its Security Response Center would see to it that all necessary corrections are made to alleviate possible dangers.

“Customer security is our No. 1 concern,” she said. “We’ll do whatever is right for the customer.”

Mike Benham, a San Francisco programmer who discovered the problem, posted his findings Aug. 5 on a popular security-alert web site.

Benham said Internet Explorer versions 5.0, 5.5, and 6.0 have loopholes in handling web sites’ digital certificates, such as those from VeriSign Inc., which verify web sites as being legitimate and also include unique code for encrypting information.

Essentially, any web site operator with a valid certificate could pretend to be any other web site operator.

Theoretically, he said, attackers could successfully hijack computer users—such as over a school’s internal network—as they went to eCommerce web sites and intercept their information, or they could send hijacked users to dummy web sites and get them to give personal information.

Other web browsers, such as Netscape and Mozilla, aren’t vulnerable to the problem, Benham said.

Microsoft is still investigating and is unsure even whether to call it a vulnerability, said Scott Culp, manager of Microsoft’s Security Response Center.

The possible flaw comes as Microsoft has launched a high-profile effort, called its Trustworthy Computing initiative, to resolve security concerns. But problems remain: The company has issued 41 security bulletins with patches so far this year.

Microsoft criticized Benham for not contacting it first before posting the problem on the internet. Benham said he did not directly notify Microsoft because he was frustrated by the company’s response to other security researchers in the past.

Microsoft maintains it is difficult to wage an attack as Benham outlined, although Levy and another security expert, Bruce Schneier at Counterpane Internet Security, said it is possible.

“Investigating a security vulnerability sometimes takes a little bit longer than people may expect, because it’s important that we be absolutely right about the answer we provide,” Culp said. He added that Microsoft has not contacted Benham because the company has sufficient information and doubts whether he is committed to helping solve the problem.

eCommerce companies have since contacted Microsoft about their concerns, Culp said.

VeriSign, one of the biggest providers of digital certificates, said it learned of the problem on Aug. 9 and contacted Microsoft, said Ben Golub, senior vice president of trust and payment services.

He said the two companies are working together to resolve the problem, and they don’t know of any real cases yet where someone has successfully spoofed a web site or gained information.

Links:

Microsoft Corp.
http://www.microsoft.com

Blue Valley School District
http://www.bluevalleyk12.org

Symantec Corp.
http://www.symantec.com

VeriSign Inc.
http://www.verisign.com