The news about the cracking SSL/TLS over last week was quite shocking. And now Microsoft Issued a security advisory 2588513 yesterday warning of this thread but claimed that it’s not specific to any of the Windows operating system, and it’s not considered high risk to customers.
But how does this affect Windows systems? As the security advisory states:
This vulnerability affects the protocol itself and is not specific to Windows operating systems.
This is an information disclosure vulnerability that allows the decryption of encrypted SSL/TLS traffic. This vulnerability primarily impacts HTTPS traffic, since the browser is the primary attack vector, and all web traffic served via HTTPS or mixed content HTTP/HTTPS is affected.
The mitigating factors:
- The attack must make several hundred HTTPS requests before the attack could be successful.
- TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
Microsoft suggested that considering the attack scenario this vulnerability is not considered high risk to customers with a few suggested actions that include enable TLS 1.1 and/or 1.2 in Internet explorer on both client and server platform. Clearing cookies, don’t navigate to HTTP and HTTPS website at the same time, or browsing HTTPs in Private Browsing are also help staying away from this attack.
And that’s pretty much what Microsoft can do to this issue.