Last Updated: 2010-02-10 14:46:10 UTC
by Marcus Sachs (Version: 2)
Microsoft released a bulletin yesterday about a potential problem in TLS/SSL that could allow spoofing. From their bulletin:
Microsoft is investigating public reports of a vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. At this time, Microsoft is not aware of any attacks attempting to exploit the reported vulnerability.
As an issue affecting an Internet standard, we recognize that this issue affects multiple vendors. We are working on a coordinated response with our partners in the Internet Consortium for Advancement of Security on the Internet (ICASI). The TLS and SSL protocols are implemented in several Microsoft products, both client and server, and this advisory will be updated as our investigation continues.
As part of this security advisory, Microsoft is making available a workaround which enables system administrators to disable TLS and SSL renegotiation functionality. However, as renegotiation is required functionality for some applications, this workaround is not intended for wide implementation and should be tested extensively prior to implementation.
Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, depending on customer needs.
More details are in their bulletin and we'll let you know if we hear anything more. We have not received any reports of in-the-wild exploitation of this potential vulnerability.
Thanks, Kurt and Cheryl, for bringing this to our attention!
Marcus H. Sachs
Director, SANS Internet Storm Center