Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Vulnerability protection

SSL/TLS protocols vulnerability could allow information disclosure


Report ID: MS201201006
Date Published: 11 January 2012

Criticality: Important
Compromise Type: information-disclosure
Compromise From: remote


Affected Product/Component:

Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2




Summary

A vulnerability that exists in SSL 3.0 and TLS 1.0 encryption protocols and primarily impacts HTTPS traffic, could lead to information disclosure.



Detailed Description

Microsoft has released a security update for Windows operating system, following a report on a vulnerability in SSL 3.0 and TSL 1.0 encryption protocols. The vulnerability exists when Cipher-block chaining (CBC) mode of operation is used, and it primarily impacts HTTPS traffic since the browser is the primary attack vector. Upon successful exploit of this vulnerability, an attacker could decrypt portions of encrypted traffic and retrieve information such as authentication cookies.

In the security update, Microsoft introduces modification on the way that Windows Secure Channel (SChannel) components send and receives encrypted packages. To protect against web-based attack vector, users are advised to install this update along with the most recent Internet Explorer security update.



CVE Reference

CVE-2011-3389



Solution

Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms12-006)



Online Virus Scanner

 
Run a quick online virus scan of your computer.