SSL Vulnerability Affects Tens of Thousands of Sites
- By Scott Bekker
- April 15, 2004
A newly disclosed remote execution flaw involving Secure Sockets Layer encryption puts tens of thousands of Web-facing servers at risk of being taken over by attackers, according to Internet researchers at Netcraft.
The flaw is one of about 20 security problems fixed in four new patches released by Microsoft this week. (See story).
"More than 132,000 web-facing SSL servers are running either Windows 2000 or Windows NT4, according to our March Secure Server Survey, representing nearly 45 percent of all SSL servers," Netcraft said in a report on its Web site Wednesday.
Tens of thousands of those systems were undoubtedly patched in the aftermath of Microsoft's well-publicized Patch Tuesday, but if experience is any guide, many tens of thousands more will not be patched for weeks or months.
The X-Force security researchers at Internet Security Systems (ISS), where the flaw was discovered, say the remote execution flaw is especially serious because SSL is most often used to secure data transmissions involving confidential or financial information. "X-Force believes that hackers will aggressively target this vulnerability given the high-value nature of Web sites protected by SSL," ISS said in an advisory.
Microsoft described the flaw, one of 14 fixed with patches in security bulletin MS04-011, as PCT Vulnerability. Its severity is rated by Microsoft as "critical" for Windows 2000 and Windows NT 4, "important" for Windows XP and "low" for Windows Server 2003. This flaw, which allows remote code execution, is not to be confused with another, less serious flaw also fixed in MS04-011 that is called SSL Vulnerability. Exploiting that flaw only results in a denial-of-service condition.
The dangerous SSL vulnerability is a stack overflow in the Private Communications Technology, or PCT, protocol. PCT is a proprietary protocol developed by Microsoft and Visa International as an alternative to Secure Sockets Layer (SSL) 2.0. SSL 3.0 has made obsolete both PCT 1.0 and SSL 2.0. PCT is enabled by default in Windows 2000 and Windows NT 4.0. Windows Server 2003 has SSL 3.0 enabled and PCT disabled by default. "The likely outcome of this latest vulnerability will be the abrupt death of PCT, as administrators disable it on all older servers," Netcraft noted.
According to the ISS X-Force advisory, the vulnerability "can be exploited reliably over the Internet."
Scott Bekker is editor in chief of Redmond Channel Partner magazine.