Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Vulnerability in TLS/SSL Could Allow Spoofing - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Vulnerability in TLS/SSL Could Allow Spoofing

Microsoft released a bulletin yesterday about a potential problem in TLS/SSL that could allow spoofing.  From their bulletin:

Microsoft is investigating public reports of a vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. At this time, Microsoft is not aware of any attacks attempting to exploit the reported vulnerability.

As an issue affecting an Internet standard, we recognize that this issue affects multiple vendors. We are working on a coordinated response with our partners in the Internet Consortium for Advancement of Security on the Internet (ICASI). The TLS and SSL protocols are implemented in several Microsoft products, both client and server, and this advisory will be updated as our investigation continues.

As part of this security advisory, Microsoft is making available a workaround which enables system administrators to disable TLS and SSL renegotiation functionality. However, as renegotiation is required functionality for some applications, this workaround is not intended for wide implementation and should be tested extensively prior to implementation.

Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, depending on customer needs.

More details are in their bulletin and we'll let you know if we hear anything more.  We have not received any reports of in-the-wild exploitation of this potential vulnerability.

Thanks, Cheryl, for bringing this to our attention!

Marcus H. Sachs
Director, SANS Internet Storm Center

 

Marcus

301 Posts
ISC Handler
This looks like the same SSL prepending vulnerability that was disclosed last year. The SRD blog has more info, http://blogs.technet.com/srd/archive/2010/02/09/details-on-the-new-tls-advisory.aspx
Anonymous
Microsoft seeming a little slow to fix something that I believe was fixed in OpenSSL etc. some... six months ago?

There's a good point mentioned on that Technet blog, that a conceivable exploit of this in HTTPS would probably have been an XSRF vulnerability anyway. A well-designed web app should prevent this TLS bug from being exploited to cause harm.

But I'd recommend playing it safe and getting systems patched as its inevitable that someone thinks of a clever new way of exploit this bug.
Steven C.

171 Posts

Sign Up for Free or Log In to start participating in the conversation!