Hello. Today we released Security Advisory 2588513, addressing an information-disclosure issue in SSL (Secure Sockets Layer) 3.0 and TLS (Transport Layer Security) 1.0 to provide guidance for customers. This is an industry-wide issue with limited impact that affects the Internet ecosystem as a whole rather than any specific platform. Our Advisory addresses the issue via the Windows operating system.
We are not aware of a way to exploit this issue in other protocols or components, and we have no reports of exploitation in the wild at this time; our investigation continues, but our research so far indicates that customers are at minimal risk. To successfully exploit this issue, the would-be attacker must meet several conditions:
- The targeted user must be in an active HTTPS session;
- The malicious code the attacker needs to decrypt the HTTPS traffic must be injected and run in the user’s browser session; and,
- The attacker’s malicious code must be treated as from the same origin as the HTTPS server in order to it to be allowed to piggyback the existing HTTPS connection.
In addition, due to the fashion in which this man-in-the-middle exploit operates, a would-be attacker would need a fairly high-bandwidth connection to the target. Later versions of TLS (1.1 and 1.2) are not susceptible to this approach; our Security Advisory gives guidance on how to enable TLS 1.1 and 1.2 for customers who believe themselves to be at significant risk from this issue.
For further information on the nature of the issue, please see “Is SSL broken? – More about Security Advisory 2588513” on the SRD blog.
If you haven’t done so already, we suggest that you register for our security alerts (via email or RSS) on the Microsoft Technical Security Notifications page.
Group Manager, Response Communications
Trustworthy Computing Group