SSL/TLS protocols vulnerability could allow information disclosure
Report ID: MS201201006
Date Published: 11 January 2012
Criticality: Important
Compromise Type: information-disclosure
Compromise From: remote
Affected Product/Component:
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Summary
A vulnerability that exists in SSL 3.0 and TLS 1.0 encryption protocols and primarily impacts HTTPS traffic, could lead to information disclosure.
Detailed Description
Microsoft has released a security update for Windows operating system, following a report on a vulnerability in SSL 3.0 and TSL 1.0 encryption protocols. The vulnerability exists when Cipher-block chaining (CBC) mode of operation is used, and it primarily impacts HTTPS traffic since the browser is the primary attack vector. Upon successful exploit of this vulnerability, an attacker could decrypt portions of encrypted traffic and retrieve information such as authentication cookies.
In the security update, Microsoft introduces modification on the way that Windows Secure Channel (SChannel) components send and receives encrypted packages. To protect against web-based attack vector, users are advised to install this update along with the most recent Internet Explorer security update.
CVE Reference
CVE-2011-3389
Solution
Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms12-006)
