Microsoft Security Advisory 2588513 released today alert customers to a new vulnerability reported in SSL (Secure Sockets Layer) 3.0 and TLS (Transport Layer Security) 1.0. "This is an industry-wide issue with limited impact that affects the Internet ecosystem as a whole rather than any specific platform," Microsoft stated.
To successfully exploit this issue, the would-be attacker must meet several conditions:
- "The targeted user must be in an active HTTPS session;
- The malicious code the attacker needs to decrypt the HTTPS traffic must be injected and run in the user's browser session; and,
- The attacker's malicious code must be treated as from the same origin as the HTTPS server in order to it to be allowed to piggyback the existing HTTPS connection," explains Microsoft.
"In addition, due to the fashion in which this man-in-the-middle exploit operates, a would-be attacker would need a fairly high-bandwidth connection to the target. Later versions of TLS (1.1 and 1.2) are not susceptible to this approach; our Security Advisory gives guidance on how to enable TLS 1.1 and 1.2 for customers who believe themselves to be at significant risk from this issue," Microsof said.
Microsoft advises "web server administrators to give higher priority for the RC4 Cipher Suite than CBC since the attack only affects cipher suites that use CBC. By giving a higher priority for RC4 on the server, RC4 instead of CBC will be used in the security communication since all of windows clients support RC4, unless put in FIPS compliant configuration," Microsoft explains.
Refer to this MSDN article to learn how to perform this operation via group policy. "We recommend putting TLS_RSA_WITH_RC4_128_SHA as the top of the priority list, as indicated in the following image":
Microsoft also encourage users and web administrators to enable the newer security protocols, such as TLS 1.1, on both the client side and the server side. "If the browser and web server both enable TLS 1.1, the HTTPS traffic uses TLS 1.1 protocol instead of SSL 3.0/TLS 1.0, and thus won't be affected by such attacks. TLS 1.1 protocol is supported in Windows 7 and Windows 2008 R2."
"To enanble TLS 1.1 for Internet Explorer and other WinINET-based applications running on Windows 7 and Windows Server 2008 R2, please click this Fix it!.
To enbable TLS 1.1 for server-side components running on Windows 7 and Windows Server 2008 R2, click this Fix it!: