News

Microsoft Reports Bug in Web Security Protocols

Microsoft on Tuesday warned of a "vulnerability" associated with two protocols commonly used to establish secure client-server communications.

The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols have a bug that could affect several versions of Windows, including Windows Server 2008, Windows XP, Vista and Windows 7, Microsoft explained in a security advisory. However, the advisory noted that Microsoft currently has not heard of "any attacks attempting to exploit the reported vulnerability."

The warning came on the same day of Microsoft's massive February patch release, which no doubt already has IT administrators scratching their heads.

Many applications rely on the TLS/SSL protocols to establish secure connections over the Internet. However, this particular vulnerability would allow a hacker to take actions on a remote site where the user has received authentication in a classic "man-in-the-middle" attack scenario, explained Paul Zimski, vice president of market strategy at Lumension.

Successful exploitation of this vulnerability would happen "despite the fact that the session is encrypted," Zimski added. "Attackers wouldn't be able to read or listen in, but they would be able to take new actions in the context of the logged-on user."

Joshua Talbot, security intelligence manager at Symantec Security Response, seconded that assertion. He added that it would require a seasoned hacker to exploit such a weakness, possibly through an insecure wireless network.

"Though not a trivial attack, requiring the attacker to first intercept the victim's traffic, it could be used to attack users of unsecured or public wireless access points," Talbot said.

The risk of such an attack is relatively low due to the sophistication needed to pull it off, according to Phil Lieberman, founder and president of Lieberman Software.

"This type of bug/limitation is not particularly surprising given that this type of exploit requires that a hacker have a very high technical capability as well as the ability to tap into secure network sessions," Lieberman said. "It is an interesting technical exploit, but not particularly likely."

One security expert took issue with Microsoft's description of this TLS/SSL bug as a vulnerability.

"This is something I would prefer to see called a weakness," said Tyler Reguly, a senior research engineer with nCircle. "I know I'm in the minority, but to me this is a protocol implementation weakness and I don't think that as an industry we do enough to establish the difference between vulnerabilities and weaknesses."

The TLS/SSL protocols typically support "HTTPS"-type secure communications over the Internet, but they are also associated with other Web-based protocols, such as FTP, LDAP and SMTP, according to an article in Microsoft's TechNet library. Netscape first developed SSL in 1994 but the Internet Engineering Task Force later used it as the basis for the TLS specification, the article explains.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.