UPDATE: IE https certificate attack Date: 2001/12/25 This morning i was googling through the web and found out that the issue is not that new for Microsoft. If you compare http://www.acros.si/aspr/ASPR-1999-12-15-1-PUB.txt with my advisory at http://security.e-matters.de/advisories/012001.html you can see that the same bug was reported 2(!) years ago to microsoft. At that time (or better half a year later) Microsoft released the patches for that vulnerability that fixed the bug within IE 4.0 and the early versions of IE 5.0. The Microsoft Security Bulletin (MS00-039) clearly states that IE 5.01 SP1 and IE 5.5 are not vulnerable. That means, that one of the "security patches" that Microsoft released since that date reimplemented the bug and made all IEs vulnerable again. Stefan Esser
