MSFN Forum: Microsoft: SSL/TLS attacks highly improbable, but may require patch

Microsoft has issued a security advisory about an exploit that can decrypt SSL and TLS Web traffic. While actual attacks are considered improbable, a security patch to protect Microsoft software is likely on the way.

As noted by Ars last week, security researchers have developed a hacking tool called BEAST, or Browser Exploit Against SSL/TLS, which can decrypt “secure Web requests to sites using the Transport Layer Security 1.0 protocol and SSL 3.0.”

In the Microsoft advisory released yesterday, Microsoft listed affected software as Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows Server 2008 R2 and Windows 7. A patch may be issued either in Microsoft’s usual round of monthly security updates, or in an out-of-cycle update “depending on customer needs.”

“While the affected component is a Windows component, the primary vector is to attack the browser’s use of the HTTPS protocol to intercept sensitive information, such as the session cookie of the HTTPS session,” Microsoft said.

The weakness was fixed in Chromium source code three months ago, but a demonstration of the attack “succeeded in cracking the SSL confidentiality model as implemented by the Mozilla Firefox browser when communicating with paypal.com web servers over https,” Kaspersky Lab security researcher Kurt Baumgartner writes. Kaspersky researcher Roel Schouwenberg believes a Microsoft patch is very likely, although the exact software to be patched is unclear because “the vulnerability exists on the protocol level, not on the application level. As such, a patch will transcend Internet Explorer, even if IE will be the most likely target.”

“While this is mostly a theoretical attack, we're talking about one of the foundations of trust on the Internet,” Schouwenberg also says.

Source: ArsTechnica