Independent researcher, Mike Benham, first identified the flaw, which can undermine the Secure Sockets Layer (SSL) protection, used to protect ecommerce transactions.
Microsoft said it is working on patches for Windows 98, ME, NT4, 2000 and XP. It would not say when the patches would be available.
“This SSL flaw has been described as an Internet Explorer problem but it is a Windows issue. It's in the crypto of the operating system so we have to patch the OS,” said Scott Culp manager of the Microsoft Security Response Centre.
He said it is an “implementation problem in the way SSL certificates are processed where information is not available in the certificate or it is available in two places and there is a conflict”.
Culp said the flaw does not lie within CAPI, but in code that performs validation of SSL certificate chains, meaning the hierarchy of trust that cascades from certificate authorities such as VeriSign. The OS must be patched because IE does not have its own cryptography code and must rely on the OS for that service, he said.
Culp said the SSL flaw does not effect any other application outside IE and that it is a client side issue only.
“That's interesting, I'll have to do some more testing,” responded Mike Benham. “Possibly this is a second can of worms.”
However, Benham recently suggested to Macworld that the vulnerability also affects Macs. Macworld is following up this report.