Can you trust the SSL protocols anymore?

Susan bradley By Susan Bradley

Hard on the heels of the counterfeit SSL certificates scandal comes a new SSL security threat.

The recent ekoparty Security Conference in Argentina broke the news that encrypted SSL/TLS traffic is vulnerable to attack. But should we rush to install the workarounds?

(2588513)
Are the SSL protocols truly broken? Again?

Microsoft Security advisory KB 2588513, issued September 26, revealed that hackers can decrypt encrypted SSL traffic. But before you yank that Internet connection out of the wall, never to go online again, consider that mitigating factors make a successful attack of this kind extremely difficult to accomplish.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



As detailed in Microsoft’s Security Research & Defense blog, a man-in-the-middle attacker must first place himself between you and the server with which you’re communicating — and then must be there exactly at the right time to sniff your traffic.

That said, if you’re still feeling queasy about this new danger, you have two ways to protect yourself. First, formally sign in and sign out of secured sites: don’t just close the browser when you’ve finished your session. Second, you can enable the support of TLS 1.1 and disable TLS 1.0 in Windows 7′s Internet Options (as shown in Figure 1) by using the Fixits in KB 2588513.

But watch out for websites that don’t support this setting — many don’t. If you try to go to the SSL page for any such website, the SSL website fails to load properly. And there’s bad news for XP: it doesn’t support these higher levels of SSL security (see Figure 2). You are likely to be advised to browse on a Windows 7 machine. At a recent HTCIA conference, several folks from the SANS organization stated that using IE 6 and 7 on XP machines puts you at risk.

X7TLS
Figure 1. Windows 7 can support higher TLS versions, circled in yellow.

XPTLS
Figure 2. Windows XP supports only TLS 1.0, circled in yellow.

So am I telling you to stop using XP? No, not at all. As in the case of the fake SSL certs, most Windows Secrets readers are not targets of difficult, high-cost attacks that might come as a result of news released at a security conference. And does this new threat mean that I’m going to recommend that you dump IE and use only Chrome or Firefox on your Windows XP? Not so fast on that plan, either: at this time, neither Chrome nor Firefox supports TLS 1.1 or 1.2, as noted in the Register article and in a Wikipedia article about browsers that support TLS 1.1 or 1.2. For Chrome users, the good news is that a protective patch is in the developer build, and I expect Google to roll it out as soon as possible.

What to do: At this time, I’m not ready to tell you to jump on the Fixits — other than to test them on a spare Windows 7 computer to see how websites interact. We need to identify which sites are holding us all back from making TLS 1.1 or 1.2 the default. Watch for updates from Chrome for XP workstations. Do try to stay off untrusted wireless connections as much as possible. Stay tuned: for now, test only.

(890830)
Malicious Software Removal Tool serves up clues

Every month, Microsoft offers the Windows Malicious Software Removal Tool to workstations. Every month, I recommend that you install it. When the tool doesn’t find anything, that’s a good thing — you’re not infected! When it does, it’s designed to get the major malicious threats off your system.

General use of the tool has another benefit: it allows us glimpses of the safe computing practices of areas of the world that get it right. In a six-part series of blog posts, Tim Rains, Director of Product Management in Microsoft’s Trustworthy Computing group, offers insights into why some countries do well in the fight against malware and some don’t. Part 1 identifies Austria, Finland, Germany, and Japan as having the fewest infections. Researchers suggest that Austria has few infections partly because of strong ISPs that crack down on users who host malicious activity. Finland sees legislation and regulation as being key factors in its low infection rates. Germany cites sharing of information among its regulatory agencies, the media, and consumers. Japan credits consumer education and the dissemination of extermination tools by ISPs.

What to do: Install the tool when it’s offered. In addition to protecting your workstation, the Malicious Software Removal Tool assists Microsoft in getting macro views of the state of cyber security. No identifiable information about you is released, but we can all benefit from the broad lessons in the findings. According to Tim’s final post, using the tool is part of the big picture of awareness and education.


Flash Player gets a zero-day update

We’re installing updates to Flash again because of a zero-day vulnerability that showed up in actual attacks. Adobe posted Security bulletin 11-26 and released an out-of-cycle update to protect users from this exploit. All browsers from Chrome to Firefox now have updates for their plugins as well.

Make sure you have updated your Adobe Flash Player for Windows, Macintosh, Linux, and Solaris to Adobe Flash Player 10.3.183.10. Users of Adobe Flash Player for Android should be on version 10.3.186.7. Check your Android phones and tablets because these devices specifically support Flash.

What to do: Make certain that you are current with the most recent Flash updates, but do not install any of the offered toolbars.

Regularly updated problem-patch chart

This table provides the status of problem patches reported in previous Patch Watch columns. Patches listed below as safe to install will be removed from the next updated table.

Patch
Released
Description
Status
2487367
08-09
August .NET updates; see MS11-066 for complete patch list
Skip
2533523
08-09
.NET 4 Reliability Update 1
Skip
2539631
08-09
August .NET updates; see MS11-069 for complete patch list
Skip
2553065
09-13
Office File Validation update
Skip
2541014
05-24
Windows Application Compatibility List update
Wait
2539581
06-14
Office 2003 update (nonsecurity)
Wait
2510690
06-28
Office 2010 SP1
Wait
2541763
06-28
Fixes TLS/SSL handshake with Internet Explorer and Win XP or Vista
Wait
2545698
06-28
Resolves font-display issues in IE 9 with Vista and Win7
Wait
2547666
06-28
Resolves long-URL issues in IE and Windows 7
Wait
2552343
06-28
Resolves time-out issues in Windows 7
Wait
2528583
07-12
Cumulative update for SQL Server 2008 R2
Wait
982018
07-12
Advanced Format disk-configuration update
Optional
2570791
08-25
Daylight-saving update: time zone–specific, Outlook issues
Optional
2570947
09-13
More .dll-preloading updates
Install
2587505
09-13
Multiple Excel updates; see MS11-072 for all related updates
Install
2587634
09-13
Fix for malicious Office files
Install
2616676
09-13
DigiNotar certificate revocation
Install

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley has been named an MVP (Most Valuable Professional) by Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.
= Paid content

All Windows Secrets articles posted on 2011-09-29:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.