Vulnerability in TLS/SSL Could Allow Spoofing

Published: 2010-02-10
Last Updated: 2010-02-10 14:46:10 UTC
by Marcus Sachs (Version: 2)
2 comment(s)

Microsoft released a bulletin yesterday about a potential problem in TLS/SSL that could allow spoofing.  From their bulletin:

Microsoft is investigating public reports of a vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. At this time, Microsoft is not aware of any attacks attempting to exploit the reported vulnerability.

As an issue affecting an Internet standard, we recognize that this issue affects multiple vendors. We are working on a coordinated response with our partners in the Internet Consortium for Advancement of Security on the Internet (ICASI). The TLS and SSL protocols are implemented in several Microsoft products, both client and server, and this advisory will be updated as our investigation continues.

As part of this security advisory, Microsoft is making available a workaround which enables system administrators to disable TLS and SSL renegotiation functionality. However, as renegotiation is required functionality for some applications, this workaround is not intended for wide implementation and should be tested extensively prior to implementation.

Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, depending on customer needs.

More details are in their bulletin and we'll let you know if we hear anything more.  We have not received any reports of in-the-wild exploitation of this potential vulnerability.

Thanks, Kurt and Cheryl, for bringing this to our attention!

Marcus H. Sachs
Director, SANS Internet Storm Center


Keywords: Microsoft SSL TLS
2 comment(s)


This looks like the same SSL prepending vulnerability that was disclosed last year. The SRD blog has more info,
Microsoft seeming a little slow to fix something that I believe was fixed in OpenSSL etc. some... six months ago?

There's a good point mentioned on that Technet blog, that a conceivable exploit of this in HTTPS would probably have been an XSRF vulnerability anyway. A well-designed web app should prevent this TLS bug from being exploited to cause harm.

But I'd recommend playing it safe and getting systems patched as its inevitable that someone thinks of a clever new way of exploit this bug.

Diary Archives