Microsoft has issued Security Advisory (977377) to address a publicly disclosed vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. The TLS and SSL protocols are implemented in several Microsoft products, both client and server. Currently Microsoft has concluded that it affects all supported versions of Windows: Windows 2000 SP4, Windows XP (32-bit and 64-bit), Windows Server 2003 (32-bit and 64-bit), Windows Vista (32-bit and 64-bit), Windows Server 2008 (32-bit and 64-bit), Windows 7 (32-bit and 64-bit), and Windows Server 2008 R2. Microsoft says it will update the advisory as the investigation progresses.
This warning should not be confused with the 13 Security Bulletins fixing 26 vulnerabilities Microsoft released today on this month's Patch Tuesday; the company is simply stating that it is investigating the flaw. Microsoft also makes sure to note that since the issue implicates an Internet standard, the company recognizes that it affects multiple vendors and is working on a coordinated response with its partners in the Internet Consortium for Advancement of Security on the Internet (ICASI).
Redmond also underlined that it is currently unaware of any attacks trying to use the vulnerability, is actively monitoring the situation, and may provide a security update on an upcoming Patch Tuesday or an out-of-cycle patch once it is ready. The next Patch Tuesday is scheduled for March 9, 2010.
In the meantime, Microsoft listed two mitigating factors for the vulnerability:
- Web servers running Internet Information Services (IIS) 6.0 or later in the default configuration are not affected by this vulnerability, as they are only affected when configured to require mutual authentication (an uncommon configuration).
- Customers are only affected when an attacker is able to successfully conduct a man-in-the-middle attack by exploiting another vulnerability, such as a local subnet attack or DNS spoofing.
Microsoft also outlined two workarounds in the security advisory for Web servers running IIS 6 and later that are affected because they require mutual authentication by requesting a client certificate. Enabling the SSLAlwaysNegoClientCert setting will cause IIS to prompt the client for a certificate upon the initial connection, and does not require a server-initiated renegotiation. The downside is that setting this flag will require the client to authenticate prior to loading any element from the SSL-protected website and will thus cause the browser to always prompt the user for a client certificate upon connecting. Alternatively, the company is offering an update which lets system administrators disable TLS and SSL renegotiation functionality (available at KB977377). Microsoft admits, however, that renegotiation is required functionality for some applications so it doesn't recommend that this workaround be used for wide implementation (and should be tested rigorously before any implementation).
"
