Yet another bug has been found in Microsoft's Internet Explorer browser, this one said to potentially allow the theft of data from consumers who are banking online or shopping at e-commerce Web sites.

Microsoft is investigating, but has yet to make a formal statement or issue a fix. One security expert was quoted as saying that "the cryptographic protections of SSL don't work if you're a Microsoft IE user."

The loophole could allow hackers to trick computer users into thinking they are shopping at legitimate Web sites, exposing their credit card numbers and other personal information.


The flaw was discovered by Mike Benham, a San Francisco programmer who posted a note to the Bugtraq mailing list on the SecurityFocus Internet site, outlining what he called the possibility of an undetected "man in the middle" attack.

Some security experts said it was a serious concern; others were quoted as saying that the complexity and knowledge required to exploit the vulnerability makes the probability of widespread attacks unlikely.

Benham said in his warning that Internet Explorer versions 5.0, 5.5 and 6.0 have loopholes in handling digital certificates, such as those from VeriSign , which verify Web sites as being legitimate and also include unique code for encrypting information.

Essentially, any Web site operator with a valid certificate could pretend to be any other Web site operator, Benham said.

"I would consider this to be incredibly severe," Benham said in his posting. "Any of the standard connection hijacking techniques can be combined with this vulnerability to produce a successful man in the middle attack." Netscape has no such loophole, he said.

Microsoft reportedly is still investigating and is unsure even whether to call it a vulnerability, Scott Culp, manager of Microsoft's Security Response Center, was quoted as saying. However, Microsoft and VeriSign were said to be working together on the matter and a VeriSign spokesman said that no real cases have been reported in which someone has successfully spoofed a Web site or gained information.

Internet Explorer has a long history of security flaws, almost all of which have been patched at one time or another.