Microsoft issues advisory about SSL/TLS vulnerability, promises patch
Microsoft (NASDAQ: MSFT) has issued a security advisory about a new exploit that can be used to decrypt SSL and TLS web traffic as part of a man-in-the-middle attack. The advisory came in the wake of two security researchers demonstrating the flaw for the first time last week. The operating systems identified by the advisory include Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7.
As we reported earlier, security researchers Thai Duong and Juliano Rizzo had put together a hacking tool called BEAST to exploit a weakness in SSL, TLS 1.0 and TLS 1.1 that was previously thought to be unexploitable. Using their sophisticated proof-of-concept tool, they were able to intercept sensitive information such as session cookies, demonstrating on a browser accessing the PayPal website at an Argentinian security conference.
For its part, Microsoft has countered that pulling off an attack using BEAST is not a trivial affair. First of all, an attacker must be in a position to pull off an active man-in-the-middle attack. Simply monitoring the encrypted data stream is inadequate. Moreover, malicious code to decrypt the HTTPS stream must be injected within the user's browser session, which also means that built-in measures to protect the data from one domain against modification and access will also need to be separately circumvented.
In spite of the difficulties inherent in pulling off a successful attack, Microsoft has provided a number of workarounds to sidestep the issue. The challenge is that suggested fixes may introduce incompatibilities with sites not properly configured to accept TLS 1.2, which is not vulnerable.
For now, the software giant says it is working on a security patch, though it did not say when it will be released. Unless a rash of attacks using BEAST takes place however, any patch likely come as regular Patch Tuesday update rather than an out-of-cycle fix.