This is an industry-wide vulnerability affecting the SSL3.0 protocol itself and is not specific to the windows operating system. All supported version of Microsoft implement this protocol and are affected by this vulnerability. Considering the attack scenario, this vulnerability is not considered as high risk.
What is SSL?
Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security over the Internet. SSL encrypts the data transported over the network, using cryptography for privacy and a keyed message authentication code for message reliability.
What is TLS?
Transport Layer Security (TLS) is a standard protocol that is used to provide secure web communications on the Internet or on intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest version of the Secure Sockets Layer (SSL) protocol.
What causes the vulnerability?
The vulnerability is caused by a weakness in the CBC encryption algorithm used in SSL 3.0.
The vulnerability In SSL3.0 allows attackers to decrypt encrypted website connections. The attackers can exploit a weakness in the protocol’s design to garb secret session cookies and can steal or tamper with your sensitive information while it’s in transit.
- The attacker must make several hundred HTTPS requests before tha attack could be successful.
- TSL 1.0, TLS1.1, TLS1.2 and all cipher suit that do not use CBC mode are not affected.
Affected Operating System:
Windows server 2003 service pack 2
Windows server 2003 x64 Edition service pack 2
Windows server 2003 with SP2 for Itanium-based system
Windows vista service pack 2
Windows vista x64 Edition service pack 2
Windows server 2008 for 32-bit system SP2
Windows server 2008 for x64-based system SP2
Windows server 2008 for Itanium-based system SP2
Windows 7 for 32-bit system SP1
Windows 7 for x64-based system SP1
Windows server 2008 R2 for x64-based system SP1
Windows server 2008 R2 for Itanium-based system SP1
Windows 8 for 32-bit system
Windows 8 for x64-based system
Windows 8.1 for 32-bit system
Windows 8.1 for x64-based system
Windows server 2012
Windows server 2012 R2
Windows RT 8.1
Microsoft is investigating on this vulnerability, and will take the appropriate action to help protect their customers. This may include providing a security update through monthly release process or providing an out-of-cycle security update. Microsoft has suggested a workaround to disable SSL3.0 to mitigate this vulnerability. This workaround will disable SSL3.0 for all server software installed on a system, Including IIS.
1) Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, TLS 1.2 in Internet Explorer.
You can disable the SSL 3.0 protocol in Internet Explorer by modifying the Advanced Security settings in Internet Explorer.
To change the default protocol version to be used for HTTPS requests, perform the following steps:
- On the Internet Explorer Tools menu, click Internet Options.
- In the Internet Options dialog box, click the Advanced tab.
- In the Security category, uncheck Use SSL 3.0 and check Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2 (if available).
- Click OK.
- Exit and restart Internet Explorer.
Note: After applying this workaround, Internet Explorer will fail to connect to Web servers that only support SSL up to 3.0 and don’t support TLS 1.0, TLS 1.1, and TLS 1.2.
2) Disable SSL 3.0 and Enable TLS 1.0, TLS 1.1, TLS 1.2 in Internet Explorer in Group Policy.
You can disable support for the SSL 3.0 protocol in Internet Explorer via Group Policy by modifying the Turn Off Encryption Support Group Policy Object.
- Open Group Policy Management.
- Select the group policy object to modify, right click and select Edit.
- In the Group Policy Management Editor, browse to the following setting:
Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Turn off encryption support
- Double-click the Turn off Encryption Support setting to edit the setting.
- Click Enabled.
- In the Options window, change the Secure Protocol combinations setting to “Use TLS 1.0, TLS 1.1, and TLS 1.2“.
- Click OK.
Note Administrators should make sure this group policy is applied appropriately by linking the GPO to the appropriate OU in their environment.
Note After applying this workaround, Internet Explorer will fail to connect to Web servers that only support SSL up to 3.0 and don’t support TLS 1.0, TLS 1.1, and TLS 1.2.
3) Disable SSL 3.0 in Windows.
You can disable support for the SSL 3.0 protocol on Windows by following these steps:
- Click Start, click Run, type regedt32or type regedit, and then click OK.
- In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server
Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
- On the Editmenu, click Add Value.
- In the Data Typelist, click DWORD.
- In the Value Namebox, type Enabled, and then click OK.
Note If this value is present, double-click the value to edit its current value.
- Type 00000000in Binary Editor to set the value of the new key equal to “0”.
- Click OK. Restart the computer.
Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.
Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.