14 DAY TRIAL // Microsoft is hard at work on a patch designed to address a vulnerability affecting SSL (Secure Sockets Layer) 3.0 and TLS (Transport Layer Security) 1.0, even though the security hole is not specific to Windows. Security researchers have recently demoed a new exploit targeting an SSL 3.0 and TLS 1.0 vulnerability, allowing attackers to decrypt encrypted SSL/TLS traffic.
Since this is an industry-wide issue, it’s also not limited to Windows or Internet Explorer, but the software giant will take the necessary measures in order to protect its customers.
This will be done through a Windows security update, that has yet to reach the level of quality recommending it for distribution.
Still, the Redmond company considers that Windows users are facing only minimal risk at best, in relation to the new SSL 3.0 and TLS 1.0 exploit, with Jerry Bryant, Group Manager, Response Communications Trustworthy Computing Group stressing that customers are not under attack.
“We are not aware of a way to exploit this issue in other protocols or components, and we have no reports of exploitation in the wild at this time; our investigation continues, but our research so far indicates that customers are at minimal risk,” Bryant said.
It’s worth noting that the information disclosure vulnerability only affects SSL 3.0 and TLS 1.0, and that customers leveraging later versions of TLS (1.1 and 1.2) have nothing to worry about from the recent exploit that was made public.
But even if users would be running an IE version that leverages SSL 3.0 and TLS 1.0, it would still be extremely difficult for an attacker to successfully exploit the vulnerability.
Bryant revealed that in order for an actual attack to happen, “The targeted user must be in an active HTTPS session; the malicious code the attacker needs to decrypt the HTTPS traffic must be injected and run in the user’s browser session; and, the attacker’s malicious code must be treated as from the same origin as the HTTPS server in order to it to be allowed to piggyback the existing HTTPS connection.”