Source: Windows Secrets
By Susan Bradley
Hard on the heels of the counterfeit SSL certificates scandal comes a new SSL security threat. A recent ekoparty Security Conference in Argentina broke the news that encrypted SSL/TLS traffic is vulnerable to attack. But should we rush to install the workarounds? (2588513)
Are the SSL protocols truly broken? Again? Microsoft Security advisory KB 2588513, issued September 26, revealed that hackers can decrypt encrypted SSL traffic. But before you yank that Internet connection out of the wall, never to go online again, consider that mitigating factors make a successful attack of this kind extremely difficult to accomplish.
As detailed in Microsoft's Security Research & Defense blog, a man-in-the-middle attacker must first place himself between you and the server with which you're communicating — and then must be there exactly at the right time to sniff your traffic.
That said, if you're still feeling queasy about this new danger, you have two ways to protect yourself. First, formally sign in and sign out of secured sites: don't just close the browser when you've finished your session. Second, you can enable the support of TLS 1.1 and disable TLS 1.0 in Windows 7's Internet Options (as shown in Figure 1) by using the Fixits in KB 2588513. But watch out for websites that don't support this setting — many don't. If you try to go to the SSL page for any such website, the SSL website fails to load properly. And there's bad news for XP: it doesn't support these higher levels of SSL security (see Figure 2). You are likely to be advised to browse on a Windows 7 machine. At a recent HTCIA conference, several folks from the SANS organization stated that using IE 6 and 7 on XP machines puts you at risk.
Figure 1. Windows 7 can support higher TLS versions, circled in yellow.
Figure 2. Windows XP supports only TLS 1.0, circled in yellow.
So am I telling you to stop using XP? No, not at all. As in the case of the fake
SSL certs, most Windows Secrets readers are not targets of difficult, high-cost attacks
that might come as a result of news released at a security conference. And does this
new threat mean that I'm going to recommend that you dump IE and use only Chrome
or Firefox on your Windows XP? Not so fast on that plan, either: at this time, neither
Chrome nor Firefox supports TLS 1.1 or 1.2, as noted in the Register article and
in a Wikipedia article about browsers that support TLS 1.1 or 1.2. For Chrome users,
the good news is that a protective patch is in the developer build, and I expect
Google to roll it out as soon as possible.
?
What to do: At this time, I'm not ready to tell you to jump on the Fixits — other than to test them on a spare Windows 7 computer to see how websites interact. We need to identify which sites are holding us all back from making TLS 1.1 or 1.2 the default. Watch for updates from Chrome for XP workstations. Do try to stay off untrusted wireless connections as much as possible. Stay tuned: for now, test only. (890830)
Every month, Microsoft offers the Windows Malicious Software Removal Tool to workstations. Every month, I recommend that you install it. When the tool doesn't find anything, that's a good thing — you're not infected! When it does, it's designed to get the major malicious threats off your system.
General use of the tool has another benefit: it allows us glimpses of the safe computing practices of areas of the world that get it right. In a six-part series of blog posts, Tim Rains, Director of Product Management in Microsoft's Trustworthy Computing group, offers insights into why some countries do well in the fight against malware and some don't. Part 1 identifies Austria, Finland, Germany and Japan as having the fewest infections. Researchers suggest that Austria has few infections partly because of strong ISPs that crack down on users who host malicious activity.
Finland sees legislation and regulation as being key factors in its low infection rates. Germany cites sharing of information among its regulatory agencies, the media, and consumers. Japan credits consumer education and the dissemination of extermination tools by ISPs.
What to do? Install the tool when it's offered. In addition to protecting your workstation, the Malicious Software Removal Tool assists Microsoft in getting macro views of the state of cyber security. No identifiable information about you is released, but we can all benefit from the broad lessons in the findings. According to Tim's final post, using the tool is part of the big picture of awareness and education.
We're installing updates to Flash again because of a zero-day vulnerability that showed up in actual attacks. Adobe posted Security bulletin 11-26 and released an out-of-cycle update to protect users from this exploit. All browsers from Chrome to Firefox now have updates for their plugins as well.
Make sure you have updated your Adobe Flash Player for Windows, Macintosh, Linux, and Solaris to Adobe Flash Player 10.3.183.10. Users of Adobe Flash Player for Android should be on version 10.3.186.7. Check your Android phones and tablets because these devices specifically support Flash.
What to do? Make certain that you are current with the most recent Flash updates, but do not install any of the offered toolbars. Regularly updated problem-patch chart This table provides the status of problem patches reported in previous Patch Watch columns.
To view the tables mentioned above visite the Windows Secrets Newsletter Website from the link below
Visit The Windows Secrets Newsletter Page Return To The Archives PageCreated on ... September 30, 2011