Microsoft doesn't see hacked SSL/HTTPS as high security risk

[alexalex]

But Microsoft advice moving to TLS 1.1/1.2

Microsoft Security Advisory (2588513)

Vulnerability in SSL/TLS Could Allow Information Disclosure

Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0 and TLS 1.0, affecting the Windows operating system. This vulnerability affects the protocol itself and is not specific to the Windows operating system. This is an information disclosure vulnerability that allows the decryption of encrypted SSL/TLS traffic. This vulnerability primarily impacts HTTPS traffic, since the browser is the primary attack vector, and all web traffic served via HTTPS or mixed content HTTP/HTTPS is affected. We are not aware of a way to exploit this vulnerability in other protocols or components and we are not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Mitigating Factors:

• The attack must make several hundred HTTPS requests before the attack could be successful.
  
• TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.....
  

http://technet.microsoft.com/en-us/security/advisory/2588513

[Wolfbane]

So Microsoft doesn't see a vulnerability in an outdated protocol as a problem. So? It's not like there's much you can do about a problem which is already fixed in the later versions...

[Phouchg]

Microsoft doesn't have to see it as a problem. At least, not as their problem. Internet Explorer supports TLS 1.2 since v7 and, I think, it's even enabled by default.

[+BudMan MVC]

"it's even enabled by default."

Not it isn't

[Cheryl_27]

What about SSL 3.0? It's not outdated, is it?

[Daedroth]

"Attackers must already control the network used by the intended victim, and they can only recover secret information that's transmitted repeatedly in a predictable location of the encrypted data stream. They must also have means to subvert a safety mechanism built into the web known as the same-origin policy, which dictates that data set by one domain name can't be read or modified by a different address."

and

“As it stands, given the number of difficult conditions necessary for deploying this attack, as well as the dependency on leveraging a Java applet for violating SOP, it seems extremely unlikely that individual browser users will be personally affected by this vulnerability.”

Taken from http://www.theregister.co.uk/2011/09/27/beast_attacks_paypay/

[Phouchg]

Not it isn't

I stand corrected. My bad.

[alexalex]

Microsoft doesn't see it a a problem ? Microsoft issues a "Fix It For Me" patch .

IE 6,7,8 on Win XP (still 70% in enterprise) doesn't support TLS 1.1 / 1.2 and most sites/servers don't enable TLS 1.1/1.2 as well.

http://support.micro...8513#FixItForMe

Microsoft Security Advisory: Vulnerability in SSL/TLS could allow information disclosure

Microsoft has released a Microsoft security advisory about this issue for IT professionals.

Two Fix it solutions are available.

• Fix it solution for Transport Layer Security (TLS) 1.1 on Internet Explorer: The solution enables TLS 1.1, which is not affected by this vulnerability, on Windows Internet Explorer. Most typical users should install this Fix it solution.
  
• Fix it solution for TLS 1.1 on Windows-based servers: The solution enables TLS 1.1, which is not affected by the vulnerability......
  

Applies only to Windows 7 clients and 2008 servers (no Vista).