News

Microsoft Reports Bug in Web Security Protocols

• By Jabulani Leffall
• February 10, 2010

Microsoft on Tuesday warned of a "vulnerability" associated with two protocols commonly used to establish secure client-server communications.

The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols have a bug that could affect several versions of Windows, including Windows Server 2008, Windows XP, Vista and Windows 7, Microsoft explained in a security advisory. However, the advisory noted that Microsoft currently has not heard of "any attacks attempting to exploit the reported vulnerability."

The warning came on the same day of Microsoft's massive February patch release, which no doubt already has IT administrators scratching their heads.

Many applications rely on the TLS/SSL protocols to establish secure connections over the Internet. However, this particular vulnerability would allow a hacker to take actions on a remote site where the user has received authentication in a classic "man-in-the-middle" attack scenario, explained Paul Zimski, vice president of market strategy at Lumension.

Successful exploitation of this vulnerability would happen "despite the fact that the session is encrypted," Zimski added. "Attackers wouldn't be able to read or listen in, but they would be able to take new actions in the context of the logged-on user."

Joshua Talbot, security intelligence manager at Symantec Security Response, seconded that assertion. He added that it would require a seasoned hacker to exploit such a weakness, possibly through an insecure wireless network.

"Though not a trivial attack, requiring the attacker to first intercept the victim's traffic, it could be used to attack users of unsecured or public wireless access points," Talbot said.

The risk of such an attack is relatively low due to the sophistication needed to pull it off, according to Phil Lieberman, founder and president of Lieberman Software.

"This type of bug/limitation is not particularly surprising given that this type of exploit requires that a hacker have a very high technical capability as well as the ability to tap into secure network sessions," Lieberman said. "It is an interesting technical exploit, but not particularly likely."

One security expert took issue with Microsoft's description of this TLS/SSL bug as a vulnerability.

"This is something I would prefer to see called a weakness," said Tyler Reguly, a senior research engineer with nCircle. "I know I'm in the minority, but to me this is a protocol implementation weakness and I don't think that as an industry we do enough to establish the difference between vulnerabilities and weaknesses."

The TLS/SSL protocols typically support "HTTPS"-type secure communications over the Internet, but they are also associated with other Web-based protocols, such as FTP, LDAP and SMTP, according to an article in Microsoft's TechNet library. Netscape first developed SSL in 1994 but the Internet Engineering Task Force later used it as the basis for the TLS specification, the article explains.