December 11, 2016

Microsoft Issues Security Advisory to Combat the BEAST

(LiveHacking.Com) – As reported yesterday, the mechanism behind earlier versions of  SSL/TLS are susceptible to attack due the way they use block ciphers. Now Microsoft has made a blog post and issued a security advisory about the problem.

This is an industry-wide issue with limited impact that affects the Internet ecosystem as a whole rather than any specific platform. Our Advisory addresses the issue via the Windows operating system.

According to Microsoft’s analysis  users are at minimal risk. To successfully exploit this issue, the would-be attacker must meet several conditions:

  • The targeted user must be in an active HTTPS session;
  • The malicious code the attacker needs to decrypt the HTTPS traffic must be injected and run in the user’s browser session; and,
  • The attacker’s malicious code must be treated as from the same origin as the HTTPS server in order to it to be allowed to piggyback the existing HTTPS connection.
  • The attack must make several hundred HTTPS requests before the attack could be successful.
  • TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
For those who run servers on Windows, Microsoft suggest use of the RC4 algorithm. Since the attack only affects cipher suites that use symmetric encryption algorithms in CBC mode, such as AES, the RC4 algorithm is not vulnerable. System administrators can prioritize the RC4 algorithm on their servers using the instructions given here:  Prioritizing Schannel Cipher Suites.