Microsoft issues warning over SSL flaw

Microsoft has warned its users of a potential threat from a flaw in Secure Sockets Layer 3.0 and Transport Layer Security 1.0, although the company said the chances of a successful attack are not very likely.

The flaw, discovered and demonstrated by two security researchers last week, allows for a potential attacker to pull off a man-in-the-middle exploit by gaining access to a user's machine through an active HTTPS session.

In the demonstration, security researchers Thai Duong and Juliano Rizzo showed how their SSL exploit tool, called BEAST (consisting of a Javascript/applet agents and a network sniffer), can decrypt existing cookies on a Web site to gain access to a target's machine. The two used their tool on the PayPal Web site to demonstrate that even the most secure sites are vulnerable to this flaw.  

"Once an agent has been loaded, BEAST can patiently wait until you sign in to some valuable websites to steal your accounts," Doung wrote in a blog post.

While the two showed that an SSL attack using Javascript agents could succeed in hijacking personal information and executing malicious code, Microsoft says it believes that the possibility of a successful attack in the wild is slim.

Speaking on what is required to pull off such an attack, Microsoft said the following, in a TechNet blog post:

  • "The HTTPS session must be actively attacked by a man-in-the-middle; simply observing the encrypted traffic is not sufficient.
  • The malicious code the attacker uses to decrypt the HTTPS traffic must be injected and run within the user's browser session.
  • The attacker's malicious code needs to be treated as from the same origin as the HTTPS server in order to it to be allowed to piggyback on an existing HTTPS connection. Most likely it requires the attacker to exploit another vulnerability to bypass the browser's same origin policy."

While the exploit only works in TLS versions 1.0, most browsers do not provide support for newer versions (TLS 1.1 and 1.2), and in Microsoft's case, Internet Explorer does not have TLS 1.1 activated as its default setting due to compatibility issues. Microsoft said it is waiting for worldwide servers to implement correct HTTPS protocols before it can set TLS 1.1 to default.

Microsoft did not provide a fix with Monday's security advisory. However, it did provide a handful of workarounds, which include switching on TLS 1.1 in Internet Explorer, enabling Microsoft's browser to prompt users before running Active Scripting and prioritizing the RC4 algorithm to secure communication, among others.

About the Author

Chris Paoli is the associate Web editor for 1105 Enterprise Computing Group's Web sites, including Redmondmag.com, RCPmag.com, ADTmag.com and VirtualizationReview.com.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above