SSL/TLS protocols vulnerability could allow information disclosure
Report ID: MS201201006
Date Published: 11 January 2012
Compromise Type: information-disclosure
Compromise From: remote
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
A vulnerability that exists in SSL 3.0 and TLS 1.0 encryption protocols and primarily impacts HTTPS traffic, could lead to information disclosure.
Microsoft has released a security update for Windows operating system, following a report on a vulnerability in SSL 3.0 and TSL 1.0 encryption protocols. The vulnerability exists when Cipher-block chaining (CBC) mode of operation is used, and it primarily impacts HTTPS traffic since the browser is the primary attack vector. Upon successful exploit of this vulnerability, an attacker could decrypt portions of encrypted traffic and retrieve information such as authentication cookies.
In the security update, Microsoft introduces modification on the way that Windows Secure Channel (SChannel) components send and receives encrypted packages. To protect against web-based attack vector, users are advised to install this update along with the most recent Internet Explorer security update.
Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms12-006)