According to Jerry Bryant, general manager of the Trustworthy Computing operation, whilst Microsoft is not aware of a way to exploit this issue in other protocols or components - and has no reports of exploitation in the wild at this time – its investigations continue. “Our research so far indicates that customers are at minimal risk”, he noted.
To successfully exploit this issue, Microsoft says that the would-be attacker must meet several conditions:
The targeted user must be in an active HTTPS session;
The malicious code the attacker needs to decrypt the HTTPS traffic must be injected and run in the user’s browser session; and,
The attacker’s malicious code must be treated as from the same origin as the HTTPS server in order to it to be allowed to piggyback the existing HTTPS connection.
In addition, says the software giant, due to the way in which this man-in-the-middle exploit operates, a would-be attacker would need a fairly high-bandwidth connection to the target.
“Later versions of TLS (1.1 and 1.2) are not susceptible to this approach; our Security Advisory gives guidance on how to enable TLS 1.1 and 1.2 for customers who believe themselves to be at significant risk from this issue”, says Bryant in his security advisory.
Infosecurity understands that Microsoft was pushed into its advisory after the flaw was discovered - and demonstrated - by two Far Eastern security researchers last week
In their demonstration, Thai Duong and Juliano Rizzo announced the development of a Java-based extensible applet called Beast that decrypted cookies on a web site to gain access to a target, machine. The researchers said they had used their software on the PayPal web site to demonstrate that even the most secure sites are vulnerable.