Feeds

Microsoft purges Windows of serious SSL vuln

Balance in the force restored

Securing Web Applications Made Simple and Scalable

Microsoft has updated a broad swath of products to fix a potentially serious spoofing vulnerability in the secure sockets layer (SSL) protocol that secures email, web transactions and other sensitive internet traffic.

The software company on Tuesday released MS10-049 to kill the bug in Windows Server 2008, Windows 7 and 12 other versions of Windows that are still under support. The patch updates a part of the operating system known as SChannel, or Secure Channel, which is responsible for implementing SSL, which is also referred to as TLS, or transport layer security.

The weakness first became public in November, when word leaked out that a vulnerability in the underlying protocol used by hundreds of companies allowed attackers to inject text into encrypted traffic passing between two endpoints. Researchers had been meeting in secret to develop an industry-wide fix before attackers could figure out a way to exploit it.

Microsoft's update follows the revision in January of RFC 5246, the request-for-comments document that previously mapped out the technical specifications for the protocol. The new controlling blueprint for SSL/TLS communications is RFC 5746. Since then, other packages, including OpenSSL, RedHat Linux and Oracle's Java, have also been patched.

“Ten months after public disclosure the majority of the industry has a fix,” said Marsh Ray, a software developer at two-factor authentication service PhoneFactor and one of the researchers who first sounded the alarm. “I think it's about as good a time as any to declare victory on that project.”

Microsoft rated the severity of the vulnerability as “important,” the second-highest classification on its four-tier scale. The bulletin correctly said the SSL vulnerability could be exploited only in concert with another attack – such as ARP spoofing or DNS cache poisoning – that allowed someone to perform a man-in-the-middle attack.

“It is important to note that this is still potentially a significant issue for certain deployments, and the update should be installed,” Maarten Van Horenbeeck, a program manager in the Microsoft Security Response Center, wrote here. “In particular, the vulnerability may affect other non-HTTP protocols that are less well understood.”

The vulnerability in the older protocol stems from the ability for either party in an SSL transaction to renegotiate the session, usually so one of them can refresh its cryptographic keys or change other parameters. That could allow man-in-the-middle attackers to surreptitiously introduce text at the beginning of an SSL session.

The overhauled specification prevents the attack by introducing a TLS extension that cryptographically ties renegotiations to the original connection, so authentication is carried forward and later validated.

The fix was released as part of Microsoft's Patch Tuesday batch, that included a record 14 updates that patched at least 34 separate vulnerabilities. Exploits for vulnerabilities described in four of the bulletins are likely to be released into the wild in the next 30 days, Microsoft said.

Not to be outdone, Adobe Systems released security updates for its Flash Player and Flash Media Server software, both of which were rated critical. Adobe also issued a hotfix for ColdFusion that was rated important. ®

Mobile application security vulnerability report

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.