CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Culture

Microsoft warns of security glitch for some IE users

A potential security issue looms for users of the Macintosh version of the Internet Explorer 4.5 browser because some digital security certificates are set to expire at the end of the year.

Starting on Jan. 1, surfing for online sales may be a risky proposition for some Macintosh owners who use a version of Microsoft's Web browser.

A potential security issue looms for users of the Macintosh version of the Internet Explorer 4.5 browser, according to Microsoft. That's because some digital security certificates--the electronic credentials included in a browser that vouch for the identity of a user--are set to expire at the end of the year.

The result, according to Microsoft, is that some users won't be able to shop or pass information along in a secure fashion. The company says it is working on a fix, which it will post on a Microsoft Web site.

And Mac users probably won't be the only ones whose shopping security is compromised. Many Web surfers using older versions of Netscape's browsers may find themselves in a similar predicament.

According to a message for users of Bank of America's online service, customers using Netscape Navigator/Communicator 4.05 and below, and Macintosh versions of Microsoft Internet Explorer 4.01 and below will no longer be able to access the bank's service after Dec. 17. That's because they have digital certificates that are set to expire.

Bank of America has made a policy decision to not let users of older browsers log on, but that doesn't mean that users will be prevented from conducting secure transactions on other Web sites, explained Chris Saito, senior direct of client product marketing for Netscape.

In Netscape's case, the certificate is used to start a secure conversation between the Web site and the browser. A secure conversation can take place, meaning no one between the user and the site can "listen in," but there is a slightly increased chance that the Web site could be a fake disguised as a reputable vendor, for instance.

Users may see notices about expired certificates come Jan. 1. However, Saito said they are displayed mainly to encourage people to upgrade their browsers to newer versions that have bug fixes and improvements in security, said Saito. People may be inconvenienced by having to upgrade their browser, but improvements in security are worth it, he said.

After midnight, Dec. 31, users of Explorer 4.5 for the Mac who are trying to shop on some Web sites may get this message: "Unable to establish a secure connection. The information you view and send will be readable to others while in transit, and it may not go to the intended party. Continue loading this page?"

Microsoft said the user has the option of continuing or stopping the connection.

Irving Kwong, product manager for Microsoft's Macintosh division, said the problem was discovered when it was testing products for Y2K issues.

"This is not a Y2K problem," Kwong said. "But it is coincidental that the certificate creators chose the date to be [Dec. 31]. We don't want there to be [Y2K] hysteria because of this."

There has been widespread concern that at the turn of the year older computers or systems could fail if they misread 2000 as 1900.

One analyst questioned the impact of such a browser issue.

"There's the potential that someone's acute shopping needs will go unmet [on Jan.1], but I'll be more worried about whether the riots have stopped," quipped Clay Ryder, chief analyst for Zona Research.

The problem with certificate expiration "just goes to show that technology is not perfect," Ryder said. "If there isn't a threat that the certificate can be misused, at worst, this sounds like an inconvenience."

While the certificate problem isn't a huge issue, these and other online glitches come at a time when many industry pundits consider this quarter to be a make-or-break season for many online retailers. Jupiter Communications, for one, expects e-commerce sales to total almost $6 billion during the holidays, about double last year's figure. Continued expansion of online sales could depend in part on customers having a positive shopping experience this year.

To wit: A recent report from Jupiter notes that despite the growth in e-commerce, consumers still are more comfortable doing business at malls and retail stores because of poor customer service and unstable Web sites at online stores.

"I would resist pronouncing e-commerce a success or failure based on the Christmas selling season," said Ryder. As long as there aren't any highly publicized failures at sites like Amazon.com, Ryder expects online shopping to continue to grow in popularity.

It's not known how many people might be affected by the problem. Microsoft said more than 2 million copies of the program have been downloaded. Also, IE 4.5 ships with new Apple systems that have Mac OS 9 preinstalled, so the numbers are significant. IE became the default browser for Apple computer systems in 1997 in return for a $150 million investment from Microsoft.

The company is currently working on a fix and will notify users who sign up at a special Web page when it is available. Kwong said Microsoft is aiming to have the update available before the end of the year.

In related news, Microsoft said that when users of Internet Explorer try to enter sites such as Citibank that require JavaScript--a language used to control the appearance and function of Web pages--they may experience an error when entering them.

Microsoft said this particular problem affects only people who have recently downloaded Outlook Express 5 Macintosh Edition and use Internet Explorer.