Manage updates with the Download App
Microsoft Security Advisory (977377)
by Donna Buenaventura 
- 2/9/10 7:29 PM
Microsoft Security Advisory (977377)
Vulnerability in TLS/SSL Could Allow Spoofing
Published: February 09, 2010
Microsoft is investigating public reports of a vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. At this time, Microsoft is not aware of any attacks attempting to exploit the reported vulnerability.
As an issue affecting an Internet standard, we recognize that this issue affects multiple vendors. We are working on a coordinated response with our partners in the Internet Consortium for Advancement of Security on the Internet (ICASI). The TLS and SSL protocols are implemented in several Microsoft products, both client and server, and this advisory will be updated as our investigation continues.
As part of this security advisory, Microsoft is making available a workaround which enables system administrators to disable TLS and SSL renegotiation functionality. However, as renegotiation is required functionality for some applications, this workaround is not intended for wide implementation and should be tested extensively prior to implementation.
Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, depending on customer needs.
Affected
This advisory discusses the following software.Affected Software
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems*
Windows Server 2008 R2 for Itanium-based Systems
*Server Core installation affected.
Workarounds
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
-Enable SSLAlwaysNegoClientCert on IIS 6 and above
http://www.microsoft.com/technet/security/advisory/977377.mspx
Unread
Read
Locked thread
Moderator
CNET Staff
Samsung Staff
Norton Authorized Support Team
AVG Staff
avast! Staff
Webroot Support Team
Acer Customer Experience Team
Windows Outreach Team
Dell Staff
Intel Staff
Question
Resolved question
General discussion
Tip
Alert or warning
Praise
Rant%20-%20CNET%20Spyware,%20viruses,%20%26amp;%20security%20Forums&srcUrl=http://forums.cnet.com/microsoft-security-advisory-977377/7723-6132_102-382338.html&x_breadcrumb=6035:7572:6132){kind=small}