Feeds

Microsoft purges Windows of serious SSL vuln

Balance in the force restored

Using blade systems to cut costs and sharpen efficiencies

Microsoft has updated a broad swath of products to fix a potentially serious spoofing vulnerability in the secure sockets layer (SSL) protocol that secures email, web transactions and other sensitive internet traffic.

The software company on Tuesday released MS10-049 to kill the bug in Windows Server 2008, Windows 7 and 12 other versions of Windows that are still under support. The patch updates a part of the operating system known as SChannel, or Secure Channel, which is responsible for implementing SSL, which is also referred to as TLS, or transport layer security.

The weakness first became public in November, when word leaked out that a vulnerability in the underlying protocol used by hundreds of companies allowed attackers to inject text into encrypted traffic passing between two endpoints. Researchers had been meeting in secret to develop an industry-wide fix before attackers could figure out a way to exploit it.

Microsoft's update follows the revision in January of RFC 5246, the request-for-comments document that previously mapped out the technical specifications for the protocol. The new controlling blueprint for SSL/TLS communications is RFC 5746. Since then, other packages, including OpenSSL, RedHat Linux and Oracle's Java, have also been patched.

“Ten months after public disclosure the majority of the industry has a fix,” said Marsh Ray, a software developer at two-factor authentication service PhoneFactor and one of the researchers who first sounded the alarm. “I think it's about as good a time as any to declare victory on that project.”

Microsoft rated the severity of the vulnerability as “important,” the second-highest classification on its four-tier scale. The bulletin correctly said the SSL vulnerability could be exploited only in concert with another attack – such as ARP spoofing or DNS cache poisoning – that allowed someone to perform a man-in-the-middle attack.

“It is important to note that this is still potentially a significant issue for certain deployments, and the update should be installed,” Maarten Van Horenbeeck, a program manager in the Microsoft Security Response Center, wrote here. “In particular, the vulnerability may affect other non-HTTP protocols that are less well understood.”

The vulnerability in the older protocol stems from the ability for either party in an SSL transaction to renegotiate the session, usually so one of them can refresh its cryptographic keys or change other parameters. That could allow man-in-the-middle attackers to surreptitiously introduce text at the beginning of an SSL session.

The overhauled specification prevents the attack by introducing a TLS extension that cryptographically ties renegotiations to the original connection, so authentication is carried forward and later validated.

The fix was released as part of Microsoft's Patch Tuesday batch, that included a record 14 updates that patched at least 34 separate vulnerabilities. Exploits for vulnerabilities described in four of the bulletins are likely to be released into the wild in the next 30 days, Microsoft said.

Not to be outdone, Adobe Systems released security updates for its Flash Player and Flash Media Server software, both of which were rated critical. Adobe also issued a hotfix for ColdFusion that was rated important. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.