Microsoft Pushes FixIt Tool to Enable Support for Newer TLS Version

Microsoft has relased a security advisory about the TLS/SSL attack developed by Juliano Rizzo and Thai Duong and also has made a FixIt tool available to help server administrators switch on support for newer versions of the protocol that aren’t vulnerable to the attack.

Microsoft toolMicrosoft has relased a security advisory about the TLS/SSL attack developed by Juliano Rizzo and Thai Duong and also has made a FixIt tool available to help server administrators switch on support for newer versions of the protocol that aren’t vulnerable to the attack.

The Microsoft advisory lays out some of the technical details of the attack, which involves a long-known weakness in the TLS protocol related to the way that it handles data when in CBC (cipher-block chaining) mode. Rizzo and Duong were able to extend an existing attack against the weakness that allows them to decrypt user cookies for secure sessions on the fly. The attack works against TLS 1.0, which is an old version of the protocol, but the server-side support for newer versions such as TLS 1.1 and 1.2 is low.

There are some mitigating factors for the attack, as Microsoft points out in a blog post from Jerry Bryant.

“We are not aware of a way to exploit this issue in other protocols or components, and we have no reports of exploitation in the wild at this time; our investigation continues, but our research so far indicates that customers are at minimal risk,” Bryant said. 

In order for the attack to succeed, the attacker needs the victim to be on an active HTTPS session, be able to inject the malicious code into the victim’s browser and have that code be treated as coming from the same origin as the active HTTPS session. The advances that Rizzo and Duong made to the existing attack on the TLS weakness included a custom tool that can inject their malicious code into the victim’s browser.

The FixIt tool that Microsoft released will automatically enable support for TLS 1.1 in Internet Explorer and in Windows 7 or Windows Server 2008.

“We would also encourage users and web administrators to enable the newer security protocols, such as TLS 1.1, on both the client side and the server side. If the browser and web server both enable TLS 1.1, the HTTPS traffic uses TLS 1.1 protocol instead of SSL 3.0/TLS 1.0, and thus won’t be affected by such attacks. TLS 1.1 protocol is supported in Windows 7 and Windows 2008 R2,” Microsoft’s SWIAT team wrote in a blog post on the mitigations.

The main problem with enabling support for newer versions of the TLS protocol on the client side, which would protect against the attack, is that the vast majority of sites don’t support it. Unless both the server and client have the newer version enabled, it doesn’t help.

Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.

Discussion

  • Jeff on

    I posted a admin tool a few months back that easily allows adminitrators to configure cipher suites.  The main reason for it is to enable TLS 1.1 and 1.2 on Windows Server systems.  Check it out at: https://www.nartac.com/Products/IISCrypto/Default.aspx

     

  • Anonymous on

    Mcafee founstone reports are showing this vulnerability as high. This article downplays the severity of this issue.  I have tried the registry change and the setting in IE as well as the MS fixit tools. Still did not patch this vulnerability. Thoughts?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.