Microsoft Reports Bug in Web Security Protocols

Microsoft on Tuesday warned of a "vulnerability" associated with two protocols commonly used to establish secure client-server communications.

The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols have a bug that could affect several versions of Windows, including Windows Server 2008, Windows XP, Vista and Windows 7, Microsoft explained in a security advisory. However, the advisory noted that Microsoft currently has not heard of "any attacks attempting to exploit the reported vulnerability."

The warning came on the same day of Microsoft's massive February patch release, which no doubt already has IT administrators scratching their heads.

Many applications rely on the TLS/SSL protocols to establish secure connections over the Internet. However, this particular vulnerability would allow a hacker to take actions on a remote site where the user has received authentication in a classic "man-in-the-middle" attack scenario, explained Paul Zimski, vice president of market strategy at Lumension.

Successful exploitation of this vulnerability would happen "despite the fact that the session is encrypted," Zimski added. "Attackers wouldn't be able to read or listen in, but they would be able to take new actions in the context of the logged-on user."

Joshua Talbot, security intelligence manager at Symantec Security Response, seconded that assertion. He added that it would require a seasoned hacker to exploit such a weakness, possibly through an insecure wireless network.

"Though not a trivial attack, requiring the attacker to first intercept the victim's traffic, it could be used to attack users of unsecured or public wireless access points," Talbot said.

The risk of such an attack is relatively low due to the sophistication needed to pull it off, according to Phil Lieberman, founder and president of Lieberman Software.

"This type of bug/limitation is not particularly surprising given that this type of exploit requires that a hacker have a very high technical capability as well as the ability to tap into secure network sessions," Lieberman said. "It is an interesting technical exploit, but not particularly likely."

One security expert took issue with Microsoft's description of this TLS/SSL bug as a vulnerability.

"This is something I would prefer to see called a weakness," said Tyler Reguly, a senior research engineer with nCircle. "I know I'm in the minority, but to me this is a protocol implementation weakness and I don't think that as an industry we do enough to establish the difference between vulnerabilities and weaknesses."

The TLS/SSL protocols typically support "HTTPS"-type secure communications over the Internet, but they are also associated with other Web-based protocols, such as FTP, LDAP and SMTP, according to an article in Microsoft's TechNet library. Netscape first developed SSL in 1994 but the Internet Engineering Task Force later used it as the basis for the TLS specification, the article explains.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Microsoft Sets September Launch for Purview Data Governance

    Microsoft's AI-powered Purview solution to address governance and security challenges is set to become generally available on Sept. 1.

  • An image of planes flying around a globe

    2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • End of the Road for Kaspersky in the United States

    Kaspersky on Monday said it is shuttering its U.S. operations, just days before a nationwide ban on sales of its security software was set to take effect.