Microsoft Issues Security Advisory over the Cracked SSL/TLS Vulnerability


The news about the cracking SSL/TLS over last week was quite shocking. And now Microsoft Issued a security advisory 2588513 yesterday warning of this thread but claimed that it’s not specific to any of the Windows operating system, and it’s not considered high risk to customers.

The vulnerability resides in SSL version 1.0 and earlier of TLS. Because the later version of 1.1 and 1.2 remain almost entirely unsupported in browsers and websites, this serious weakness affects almost all websites protected by SSL protocol. The piece of JavaScript code called BEAST, which is a short of Browser Exploit Against SSL/TLS, works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. That’s pretty serious.

But how does this affect Windows systems? As the security advisory states:

This vulnerability affects the protocol itself and is not specific to Windows operating systems.

This is an information disclosure vulnerability that allows the decryption of encrypted SSL/TLS traffic. This vulnerability primarily impacts HTTPS traffic, since the browser is the primary attack vector, and all web traffic served via HTTPS or mixed content HTTP/HTTPS is affected.

The mitigating factors:

  • The attack must make several hundred HTTPS requests before the attack could be successful.
  • TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Microsoft suggested that considering the attack scenario this vulnerability is not considered high risk to customers with a few suggested actions that include enable TLS 1.1 and/or 1.2 in Internet explorer on both client and server platform. Clearing cookies, don’t navigate to HTTP and HTTPS website at the same time, or browsing HTTPs in Private Browsing are also help staying away from this attack.

And that’s pretty much what Microsoft can do to this issue.


Please enter your comment!
Please enter your name here