.

Security Advisory for SSL/TLS Flaw Released by Microsoft

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Sep 28, 2011 5:08 pm

Security Advisory for SSL/TLS Flaw Released by Microsoft

Article in MCP Mag by Chris Paoli:


In response to a new threat of attack caused by a flaw in the Secure Socket Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0, Microsoft has issued Security Advisory 2588513, which contains a description and workarounds.

The flaw, discovered and demonstrated by two security researchers last week, allows for a potential attacker to pull off a man-in-the-middle exploit by gaining access to a user's machine through an active HTTPS session.



For full article:
http://mcpmag.com/articles/2011/09/27/s ... l-tls.aspx

Don
CISSP, MCSE, CSTA, Security+ SME
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Thu Sep 29, 2011 6:56 am

Re: Security Advisory for SSL/TLS Flaw Released by Microsoft

From the article:
"Microsoft did not provide a fix with Monday's security advisory. However, it did provide a handful of workarounds, which include switching on TLS 1.1 in Internet Explorer, enabling Microsoft's browser to prompt users before running Active Scripting and prioritizing the RC4 algorithm to secure communication, among others. "

Isn't RC4 a weak algorithm??
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

l33t5h@rk

Post Fri Oct 07, 2011 10:29 pm

Re: Security Advisory for SSL/TLS Flaw Released by Microsoft

alucian wrote:Isn't RC4 a weak algorithm??


Here's a link to prioritizing ciphers in Win 2K8

http://www.carbonwind.net/blog/post/A-quick-one-Setting-the-preferred-TLS-Cipher-Suite-on-TMG-Forefront-Beta-3-adding-a-little-bit-of-ephemerality.aspx

I don't think they were pushing RC4 for strength as much as it being a stream cipher and not a block cipher that BEAST exposed the vuln in.

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software