msrclogo

Here is Microsoft response concerning the vulnerability that was covered today in the tech media:

This is an industry-wide issue with limited impact that affects the Internet ecosystem as a whole rather than any specific platform. Our Advisory addresses the issue via the Windows operating system.

We are not aware of a way to exploit this issue in other protocols or components, and we have no reports of exploitation in the wild at this time; our investigation continues, but our research so far indicates that customers are at minimal risk. To successfully exploit this issue, the would-be attacker must meet several conditions:

  • The targeted user must be in an active HTTPS session;
  • The malicious code the attacker needs to decrypt the HTTPS traffic must be injected and run in the user’s browser session; and,
  • The attacker’s malicious code must be treated as from the same origin as the HTTPS server in order to it to be allowed to piggyback the existing HTTPS connection.

In addition, due to the fashion in which this man-in-the-middle exploit operates, a would-be attacker would need a fairly high-bandwidth connection to the target. Later versions of TLS (1.1 and 1.2) are not susceptible to this approach; our Security Advisory gives guidance on how to enable TLS 1.1 and 1.2 for customers who believe themselves to be at significant risk from this issue.

You can read more about this issue at these links: