News

Microsoft Releases New Security Advisory for SSL/TLS Flaw

Microsoft released Security Advisory 2588513 yesterday, which advises users of the threat of attack caused by a flaw in the Secure Socket Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0.

The flaw, discovered and demonstrated by two security researchers last week, allows for a potential attacker to pull off a man-in-the-middle exploit by gaining access to a user's machine through an active HTTPS session.

In the demonstration, security researchers Thai Duong and Juliano Rizzo showed how their SSL exploit tool called BEAST (consisting of a Javascript/applet agents and a network sniffer) can decrypt existing cookies on a Web site to gain access to a target's machine. The two used their tool on the PayPal Web site to demonstrate that even the most secure sites are vulnerable to this flaw.  

"Once an agent has been loaded, BEAST can patiently wait until you sign in to some valuable websites to steal your accounts," wrote Doung, in a blog post.

While the two showed that an SSL attack using Javascript agents could succeed in hijacking personal information and executing malicious code, Microsoft says it believes that the possibility of a successful attack in the wild is slim.

Speaking on what is required to pull off such an attack, Microsoft said the following, in a TechNet blog post:

  • "The HTTPS session must be actively attacked by a man-in-the-middle; simply observing the encrypted traffic is not sufficient.
  • The malicious code the attacker uses to decrypt the HTTPS traffic must be injected and run within the user's browser session.
  • The attacker's malicious code needs to be treated as from the same origin as the HTTPS server in order to it to be allowed to piggyback on an existing HTTPS connection. Most likely it requires the attacker to exploit another vulnerability to bypass the browser's same origin policy."

While the exploit only works in TLS versions 1.0, most browsers do not provide support for newer versions (TLS 1.1 and 1.2), and in Microsoft's case, Internet Explorer does not have TLS 1.1 activated as its default setting due to compatibility issues. Microsoft said it is waiting for worldwide servers to implement correct HTTPS protocols before it can set TLS 1.1 to default.

Microsoft did not provide a fix with Monday's security advisory. However, it did provide a handful of workarounds, which include switching on TLS 1.1 in Internet Explorer, enabling Microsoft's browser to prompt users before running Active Scripting and prioritizing the RC4 algorithm to secure communication, among others.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • How To Enable Guest Access for Office 365

    While it's possible to give outside users access to certain content in your organization's Office 365 environment, the process of setting them up requires a few extra steps.

  • Microsoft Now Supports OpenSSH in Windows Server 2019

    Microsoft announced on Tuesday that the OpenSSH solution used for remote management is now a supported "Features on Demand" addition in both Windows 10 version 1809 and Windows Server 2019.

  • Microsoft's December Security Patches Includes Fixes for Two Active Exploits

    Microsoft ended the patch year on Tuesday with a whimper of sorts, releasing an estimated 39 security fixes in its December bundle plus one security advisory, according to a count by Trend Micro's Zero Day Initiative.

  • Microsoft Edge Browser To Get New Rendering Engine but EdgeHTML Continues

    Microsoft isn't exactly killing off its EdgeHTML rendering engine, even after declaring plans to use Chromium open source technologies in its Edge browser.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.