alexalex Posted September 27, 2011 Share Posted September 27, 2011 But Microsoft advice moving to TLS 1.1/1.2 Microsoft Security Advisory (2588513) Vulnerability in SSL/TLS Could Allow Information Disclosure Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0 and TLS 1.0, affecting the Windows operating system. This vulnerability affects the protocol itself and is not specific to the Windows operating system. This is an information disclosure vulnerability that allows the decryption of encrypted SSL/TLS traffic. This vulnerability primarily impacts HTTPS traffic, since the browser is the primary attack vector, and all web traffic served via HTTPS or mixed content HTTP/HTTPS is affected. We are not aware of a way to exploit this vulnerability in other protocols or components and we are not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Mitigating Factors: The attack must make several hundred HTTPS requests before the attack could be successful. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected..... http://technet.microsoft.com/en-us/security/advisory/2588513 Link to comment Share on other sites More sharing options...
Wolfbane Posted September 27, 2011 Share Posted September 27, 2011 So Microsoft doesn't see a vulnerability in an outdated protocol as a problem. So? It's not like there's much you can do about a problem which is already fixed in the later versions... Link to comment Share on other sites More sharing options...
Phouchg Posted September 27, 2011 Share Posted September 27, 2011 Microsoft doesn't have to see it as a problem. At least, not as their problem. Internet Explorer supports TLS 1.2 since v7 and, I think, it's even enabled by default. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted September 27, 2011 MVC Share Posted September 27, 2011 "it's even enabled by default." Not it isn't Link to comment Share on other sites More sharing options...
Cheryl_27 Posted September 27, 2011 Share Posted September 27, 2011 What about SSL 3.0? It's not outdated, is it? Link to comment Share on other sites More sharing options...
Daedroth Posted September 27, 2011 Share Posted September 27, 2011 "Attackers must already control the network used by the intended victim, and they can only recover secret information that's transmitted repeatedly in a predictable location of the encrypted data stream. They must also have means to subvert a safety mechanism built into the web known as the same-origin policy, which dictates that data set by one domain name can't be read or modified by a different address." and “As it stands, given the number of difficult conditions necessary for deploying this attack, as well as the dependency on leveraging a Java applet for violating SOP, it seems extremely unlikely that individual browser users will be personally affected by this vulnerability.” Taken from http://www.theregister.co.uk/2011/09/27/beast_attacks_paypay/ Link to comment Share on other sites More sharing options...
Phouchg Posted September 27, 2011 Share Posted September 27, 2011 Not it isn't I stand corrected. My bad. Link to comment Share on other sites More sharing options...
alexalex Posted September 29, 2011 Author Share Posted September 29, 2011 Microsoft doesn't see it a a problem ? Microsoft issues a "Fix It For Me" patch . IE 6,7,8 on Win XP (still 70% in enterprise) doesn't support TLS 1.1 / 1.2 and most sites/servers don't enable TLS 1.1/1.2 as well. http://support.micro...8513#FixItForMe Microsoft Security Advisory: Vulnerability in SSL/TLS could allow information disclosure Microsoft has released a Microsoft security advisory about this issue for IT professionals. Two Fix it solutions are available. Fix it solution for Transport Layer Security (TLS) 1.1 on Internet Explorer: The solution enables TLS 1.1, which is not affected by this vulnerability, on Windows Internet Explorer. Most typical users should install this Fix it solution. Fix it solution for TLS 1.1 on Windows-based servers: The solution enables TLS 1.1, which is not affected by the vulnerability...... Applies only to Windows 7 clients and 2008 servers (no Vista). Link to comment Share on other sites More sharing options...
Recommended Posts