Security Advisory 2868725: Recommendation to disable RC4

In light of recent research into practical attacks on biases in the RC4 stream cipher, Microsoft is recommending that customers enable TLS1.2 in their services and take steps to retire and deprecate RC4 as used in their TLS implementations. Microsoft recommends TLS1.2 with AES-GCM as a more secure alternative which will provide similar performance. Background…

0

Is SSL broken? – More about Security Bulletin MS12-006 (previously known as Security Advisory 2588513)

On January 10th, Microsoft released MS12-006 in response to a new vulnerability discovered in September in SSL 3.0 and TLS 1.0. Here we would like to give further information about the technique used to exploit this vulnerability and workaround options Microsoft has released if you discover a compatibility issue after installing the update. Is SSL…

0

MS10-049: An inside look at CVE-2009-3555, the TLS renegotiation vulnerability

This issue was identified by security researchers Marsh Ray and Steve Dispensa. The vulnerability exists because certain Transport Layer Security (TLS)/Secure Sockets Layer (SSL) protected protocols assume that data received after a TLS renegotiation is sent by the same client as before the renegotiation. Renegotiation is TLS functionality that allows either peer to change the…

0

MS10-049: A remote Code Execution vulnerability in SChannel, CVE-2010-2566

In MS10-049, we are also addressing a second vulnerability, CVE-2010-2566. This is a vulnerability in schannel.dll which can potentially lead to Remote Code Execution. The vulnerability is present only in Windows XP and Windows Server 2003, and does not affect Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2.   This vulnerability…

0