Security Advisory for SSL/TLS Flaw Released by Microsoft
In response to a new threat of attack caused by a flaw in the Secure Socket Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0, Microsoft has issued Security Advisory 2588513, which contains a description and workarounds.
The flaw, discovered and demonstrated by two security researchers last week, allows for a potential attacker to pull off a man-in-the-middle exploit by gaining access to a user's machine through an active HTTPS session.
"Once an agent has been loaded, BEAST can patiently wait until you sign in to some valuable websites to steal your accounts," wrote Doung, in a blog post.
Speaking on what is required to pull off such an attack, Microsoft said the following, in a TechNet blog post:
- "The HTTPS session must be actively attacked by a man-in-the-middle; simply observing the encrypted traffic is not sufficient.
- The malicious code the attacker uses to decrypt the HTTPS traffic must be injected and run within the user's browser session.
- The attacker's malicious code needs to be treated as from the same origin as the HTTPS server in order to it to be allowed to piggyback on an existing HTTPS connection. Most likely it requires the attacker to exploit another vulnerability to bypass the browser's same origin policy."
While the exploit only works in TLS versions 1.0, most browsers do not provide support for newer versions (TLS 1.1 and 1.2), and in Microsoft's case, Internet Explorer does not have TLS 1.1 activated as its default setting due to compatibility issues. Microsoft said it is waiting for worldwide servers to implement correct HTTPS protocols before it can set TLS 1.1 to default.
Microsoft did not provide a fix with Monday's security advisory. However, it did provide a handful of workarounds, which include switching on TLS 1.1 in Internet Explorer, enabling Microsoft's browser to prompt users before running Active Scripting and prioritizing the RC4 algorithm to secure communication, among others.