Date: 28 September 2011
References: ASB-2011.0071.2 ESB-2011.1041 ESB-2011.1052 ASB-2011.0092 ESB-2011.1055 ASB-2011.0120 ESB-2012.0044 ASB-2012.0016 ESB-2012.0707 ESB-2012.0866
ESB-2012.0867
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0979
Vulnerability in SSL/TLS Could Allow Information Disclosure
28 September 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Windows
Publisher: Microsoft
Operating System: Windows
Impact/Access: Access Confidential Data -- Remote with User Interaction
Resolution: Mitigation
CVE Names: CVE-2011-3389
Reference: ASB-2011.0071.2
Original Bulletin:
http://technet.microsoft.com/en-us/security/advisory/2588513
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Advisory (2588513)
Vulnerability in SSL/TLS Could Allow Information Disclosure
Published: Monday, September 26, 2011
Version: 1.0
General Information
Executive Summary
Microsoft is aware of detailed information that has been published describing
a new method to exploit a vulnerability in SSL 3.0 and TLS 1.0, affecting the
Windows operating system. This vulnerability affects the protocol itself and
is not specific to the Windows operating system. This is an information
disclosure vulnerability that allows the decryption of encrypted SSL/TLS
traffic. This vulnerability primarily impacts HTTPS traffic, since the browser
is the primary attack vector, and all web traffic served via HTTPS or mixed
content HTTP/HTTPS is affected. We are not aware of a way to exploit this
vulnerability in other protocols or components and we are not aware of attacks
that try to use the reported vulnerability at this time. Considering the
attack scenario, this vulnerability is not considered high risk to customers.
We are actively working with partners in our Microsoft Active Protections
Program (MAPP) to provide information that they can use to provide broader
protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate
action to help protect our customers. This may include providing a security
update through our monthly release process or providing an out-of-cycle
security update, depending on customer needs.
Mitigating Factors:
* The attack must make several hundred HTTPS requests before the attack
could be successful.
* TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not
affected.
Advisory Details
References Identification
CVE Reference CVE-2011-3389
Microsoft Knowledge Base Article 2588513
Affected Software
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Workarounds
* Prioritize the RC4 Algorithm in server software on systems running
Windows Vista, Windows Server 2008, or later.
The attack only affects cipher suites that use symmetric encryption
algorithms in CBC mode, such as AES, and does not affect the RC4 algorithm.
You can prioritize the RC4 algorithm in server software in order to facilitate
secure communication using RC4 instead of CBC. Refer to this MSDN article,
Prioritizing Schannel Cipher Suites, to learn how to perform this operation.
Warning The client or server with which you are communicating must
support the RC4 algorithm. If support for RC4 is not available, a different
cipher suite will be used if one is available, and this workaround will be
ineffective.
* Enable TLS 1.1 and/or 1.2 in Internet Explorer on systems running
Windows 7 or Windows Server 2008 R2
You can enable a different version of the TLS protocol that is not
affected by this vulnerability. You can do this by modifying the
Advanced Security settings of Internet Explorer.
To change the default protocol version to be used for HTTPS requests,
perform the following steps:
1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Advanced tab.
3. In the Security category, select the Use TLS 1.1 and/or Use TLS
1.2 checkboxes.
4. Click OK.
5. Exit and restart Internet Explorer.
Note See Microsoft Knowledge Base Article 2588513 to use the automated
Microsoft Fix it solution to enable or disable this workaround for
TLS 1.1.
Warning Web servers that dont support TLS 1.1 or 1.2 will perform the
SSL negotiation with lower SSL/TLS versions, voiding the workaround.
* Enable TLS 1.1 in server software on systems running Windows 7 or
Windows Server 2008 R2
You can enable TLS 1.1, which is not affected by the vulnerability.
See Microsoft Knowledge Base Article 2588513 to use the automated
Microsoft Fix it solution to enable or disable this workaround for
TLS 1.1.
Warning Web clients that dont support TLS 1.1 will perform the SSL
negotiation with lower SSL/TLS versions, voiding the workaround.
* Set Internet and Local intranet security zone settings to "High" to
block ActiveX Controls and Active Scripting in these zones
You can help protect against exploitation of this vulnerability by
changing your settings for the Internet security zone to block ActiveX
controls and Active Scripting. You can do this by setting your browser
security to High.
To raise the browsing security level in Internet Explorer, perform the
following steps:
1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and
then click the Internet icon.
3. Under Security level for this zone, move the slider to High. This
sets the security level for all Web sites you visit to High.
Note If no slider is visible, click Default Level, and then move the
slider to High.
Note Setting the level to High may cause some Web sites to work
incorrectly. If you have difficulty using a Web site after you change
this setting, and you are sure the site is safe to use, you can add that
site to your list of trusted sites. This will allow the site to work
correctly even with the security setting set to High.
Impact of workaround. There are side effects to blocking ActiveX
Controls and Active Scripting. Many Web sites that are on the Internet or on
an intranet use ActiveX or Active Scripting to provide additional
functionality. For example, an online e-commerce site or banking site may use
ActiveX Controls to provide menus, ordering forms, or even account statements.
Blocking ActiveX Controls or Active Scripting is a global setting that affects
all Internet and intranet sites. If you do not want to block ActiveX Controls
or Active Scripting for such sites, use the steps outlined in "Add sites that
you trust to the Internet Explorer Trusted sites zone".
Add sites that you trust to the Internet Explorer Trusted sites zone
After you set Internet Explorer to block ActiveX controls and Active
Scripting in the Internet zone and in the Local intranet zone, you can add
sites that you trust to the Internet Explorer Trusted sites zone. This will
allow you to continue to use trusted Web sites exactly as you do today, while
helping to protect yourself from this attack on untrusted sites. We recommend
that you add only sites that you trust to the Trusted sites zone.
To do this, perform the following steps:
1. In Internet Explorer, click Tools, click Internet Options, and
then click the Security tab.
2. In the Select a Web content zone to specify its current security
settings box, click Trusted Sites, and then click Sites.
3. If you want to add sites that do not require an encrypted channel,
click to clear the Require server verification (https:) for all
sites in this zone check box.
4. In the Add this Web site to the zone box, type the URL of a site
that you trust, and then click Add.
5. Repeat these steps for each site that you want to add to the zone.
6. Click OK two times to accept the changes and return to Internet
Explorer.
Note Add any sites that you trust not to take malicious action on your
system. Two in particular that you may want to add are
*.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites
that will host the update, and it requires an ActiveX Control to install the
update.
* Configure Internet Explorer to prompt before running Active Scripting or
to disable Active Scripting in the Internet and Local intranet security zone
You can help protect against exploitation of this vulnerability by
changing your settings to prompt before running Active Scripting or to disable
Active Scripting in the Internet and Local intranet security zone. To do this,
perform the following steps:
1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Security tab.
3. Click Internet, and then click Custom Level.
4. Under Settings, in the Scripting section, under Active Scripting,
click Prompt or Disable, and then click OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the Scripting section, under Active Scripting,
click Prompt or Disable, and then click OK.
7. Click OK two times to return to Internet Explorer.
Note Disabling Active Scripting in the Internet and Local intranet
security zones may cause some Web sites to work incorrectly. If you have
difficulty using a Web site after you change this setting, and you are sure
the site is safe to use, you can add that site to your list of trusted sites.
This will allow the site to work correctly.
Impact of workaround. There are side effects to prompting before running
Active Scripting. Many Web sites that are on the Internet or on an intranet
use Active Scripting to provide additional functionality. For example, an
online e-commerce site or banking site may use Active Scripting to provide
menus, ordering forms, or even account statements. Prompting before running
Active Scripting is a global setting that affects all Internet and intranet
sites. You will be prompted frequently when you enable this workaround. For
each prompt, if you feel you trust the site that you are visiting, click Yes
to run Active Scripting. If you do not want to be prompted for all these
sites, use the steps outlined in "Add sites that you trust to the Internet
Explorer Trusted sites zone".
Add sites that you trust to the Internet Explorer Trusted sites zone
After you set Internet Explorer to require a prompt before it runs
ActiveX controls and Active Scripting in the Internet zone and in the Local
intranet zone, you can add sites that you trust to the Internet Explorer
Trusted sites zone. This will allow you to continue to use trusted Web sites
exactly as you do today, while helping to protect you from this attack on
untrusted sites. We recommend that you add only sites that you trust to the
Trusted sites zone.
To do this, perform the following steps:
1. In Internet Explorer, click Tools, click Internet Options, and
then click the Security tab.
2. In the Select a Web content zone to specify its current security
settings box, click Trusted Sites, and then click Sites.
3. If you want to add sites that do not require an encrypted channel,
click to clear the Require server verification (https:) for all
sites in this zone check box.
4. In the Add this Web site to the zone box, type the URL of a site
that you trust, and then click Add.
5. Repeat these steps for each site that you want to add to the zone.
6. Click OK two times to accept the changes and return to Internet
Explorer.
Note Add any sites that you trust not to take malicious action on your
system. Two in particular that you may want to add are
*.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites
that will host the update, and it requires an ActiveX Control to install the
update.
* Clear cookies and dont navigate to HTTP and HTTPS websites at the same
time
First, clear all cookies. Then, while browsing, close all HTTP Web
sites, including sites that mix HTTP and HTTPS, before and during use of
HTTPS. Finally, log out of all HTTPS Web sites that require authentication
before resuming HTTP traffic.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBToK+uO4yVqjM2NGpAQKRtBAAqivqSkGW4K7Io8tdH+5RdNxTQ5pSz7av
OgLqjdpFe5TLbG256pvo5YTKwmX0J9RnRUPItEx4OwzbT5cmqcmFrndVZvXh3HcP
FhuLkiza0SGAqiJLvwHNKkGuEly52cAQP/7w72Hk/0Jis6IuUqShAwXt059zoL8z
BR1PHhBIlvnyOWIfbunVhgnHNa6hYcJBmo1Dq3INGdn3POOCJBvPctPeVmLa07Ne
A5ZBciI2l4wyS4v0KQGgVmAq6BTTq1BgoPWb2p3p2oj4/8QmHxJncoUqGMv3RWv+
vaCkaNkRevQLgfyck2vXa2AAw8yuAtLEiEdpEL5WjhjgXyo6KgktXUzGyotetC6g
fRajmbnFQRZXo+sFkcufzO6LQ1jtnPF5jeDqgB4Day1PeIu6zMRbkA2kgWxYVwF5
HCNfVpl6fmbH1LORpF2QVH7YlzY06S5MHztFpGotWHYCTlnWXV2ZqC3jnMlWTETM
UUE9sEWF8HRQyd3DX3hyDp6ea+C+k2T9AwfGzOcgi/jApZ4U/CTAEARa5c6lbw9X
sGfFmwglt0dvH98LgFJQRWwSD3F+1qvzGBJ2uaeTH2opmzZkfykcRRPbBti3uX9g
Lq+JeVJzsvCV0iV1QsGcUQa0tu5xg/+nltr0N9xQBAu4qrqHC8GRYUnIQ3AQ+LNw
49n3/U5FVfg=
=gIlm
-----END PGP SIGNATURE-----
|