Microsoft issues warning over SSL flaw
- By Chris Paoli
- Sep 29, 2011
Microsoft has warned its users of a potential threat from a flaw in Secure Sockets Layer 3.0 and Transport Layer Security 1.0, although the company said the chances of a successful attack are not very likely.
The flaw, discovered and demonstrated by two security researchers last week, allows for a potential attacker to pull off a man-in-the-middle exploit by gaining access to a user's machine through an active HTTPS session.
"Once an agent has been loaded, BEAST can patiently wait until you sign in to some valuable websites to steal your accounts," Doung wrote in a blog post.
Speaking on what is required to pull off such an attack, Microsoft said the following, in a TechNet blog post:
- "The HTTPS session must be actively attacked by a man-in-the-middle; simply observing the encrypted traffic is not sufficient.
- The malicious code the attacker uses to decrypt the HTTPS traffic must be injected and run within the user's browser session.
- The attacker's malicious code needs to be treated as from the same origin as the HTTPS server in order to it to be allowed to piggyback on an existing HTTPS connection. Most likely it requires the attacker to exploit another vulnerability to bypass the browser's same origin policy."
While the exploit only works in TLS versions 1.0, most browsers do not provide support for newer versions (TLS 1.1 and 1.2), and in Microsoft's case, Internet Explorer does not have TLS 1.1 activated as its default setting due to compatibility issues. Microsoft said it is waiting for worldwide servers to implement correct HTTPS protocols before it can set TLS 1.1 to default.
Microsoft did not provide a fix with Monday's security advisory. However, it did provide a handful of workarounds, which include switching on TLS 1.1 in Internet Explorer, enabling Microsoft's browser to prompt users before running Active Scripting and prioritizing the RC4 algorithm to secure communication, among others.
Chris Paoli is the associate Web editor for 1105 Enterprise Computing Group's Web sites, including Redmondmag.com, RCPmag.com, ADTmag.com and VirtualizationReview.com.