MS12-006: Vulnerability in SSL/TLS could allow information disclosure: January 10, 2012

<html><body><p>Resolves a vulnerability in SSL/TLS could allow information disclosure。</p><h2>INTRODUCTION</h2><div>Microsoft has released security bulletin MS12-006. To view the complete security bulletin, go to one of the following Microsoft websites: <ul><li>Home users:<br /><div><a href=“http://www.microsoft.com/security/pc-security/bulletins/201201.aspx” target=“_self”>http://www.microsoft.com/security/pc-security/bulletins/201201.aspx</a></div><span>Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br /><div><a href=“http://update.microsoft.com/microsoftupdate/” target=“_self”>http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<br /><div><a href=“http://technet.microsoft.com/security/bulletin/ms12-006” target=“_self”>http://technet.microsoft.com/security/bulletin/MS12-006</a></div></li></ul><span><h3>How to obtain help and support for this security update</h3> <br />Help installing updates: <br /><a href=“https://support.microsoft.com/ph/6527” target=“_self”>Support for Microsoft Update</a><br /><br />Security solutions for IT professionals: <br /><a href=“http://technet.microsoft.com/security/bb980617.aspx” target=“_self”>TechNet Security Troubleshooting and Support</a><br /><br />Help protect your computer that is running Windows from viruses and malware:<br /><a href=“https://support.microsoft.com/contactus/cu_sc_virsec_master” target=“_self”>Virus Solution and Security Center</a><br /><br />Local support according to your country: <br /><a href=“https://support.microsoft.com/common/international.aspx” target=“_self”>International Support</a><br /><br /></span></div><h2>Fix it for me</h2><div>Two Fix it solutions are available.<br /><ul><li><span>Fix it solution for Transport Layer Security (TLS) 1.1 in Internet Explorer</span>: This solution enables TLS 1.1, which is not affected by this vulnerability, in Windows Internet Explorer. Most typical users should install this Fix it solution. </li><li><span>Fix it solution for TLS 1.1 on Windows-based servers</span>: This solution enables TLS 1.1, which is not affected by the vulnerability. </li></ul>The Fix it solutions that are described in this section are not intended as replacements for any security update. We recommend that you always install the latest security updates. However, we offer these Fix it solutions as workaround options for some scenarios. <br /><br />For more information about the workarounds, see security bulletin MS12-006:<br /><div><a href=“http://technet.microsoft.com/security/bulletin/ms12-006” target=“_self”>http://technet.microsoft.com/security/bulletin/ms12-006</a></div> The bulletin provides more information about the issue and includes the following:<br /><ul><li>The scenarios in which you might apply or disable the workaround </li><li>Mitigating factors</li><li>Workarounds</li><li>Frequently asked questions</li></ul>Specifically, to see this information, look for the <span>Vulnerability Information</span> section, and then expand the <span>Workarounds</span> paragraph under the <span>SSL and TLS Protocols Vulnerability - CVE-2011-3389</span> paragraph.<br /><h3>Fix it solution for TLS 1.1 on Internet Explorer</h3>To enable or disable this Fix it solution, click the <strong>Fix it</strong> button or link under the <strong>Enable</strong> or <strong>Disable</strong> heading. Click <strong>Run</strong> in the<strong> File Download</strong> dialog box, and then follow the steps in the Fix it Wizard. <br /><div><table><tr><th>Enable</th><th>Disable</th></tr><tr><td><span><div></div></span></td><td><span><div></div></span></td></tr></table></div><h4>Notes</h4><ul><li>These wizards may be in English only. However, the automatic fixes also work for other language versions of Windows. </li><li>If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or a CD, and then you can run it on the computer that has the problem. </li></ul><h3>Fix it solution for TLS 1.1 on Windows-based servers</h3>To enable or disable this Fix it solution, click the <strong>Fix it</strong> button or link under the <strong>Enable</strong> or <strong>Disable</strong> heading. Click <strong>Run</strong> in the <strong> File Download</strong> dialog box, and then follow the steps in the Fix it Wizard. <br /><div><table><tr><th>Enable</th><th>Disable</th></tr><tr><td><span><div></div></span></td><td><span><div></div></span></td></tr></table></div><h4>Notes</h4><ul><li>These wizards may be in English only. However, the automatic fixes also work for other language versions of Windows. </li><li>If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or a CD, and then you can run it on the computer that has the problem. </li></ul></div><h2></h2><div><h3>Known issues with this security update</h3>After you install this security update, you may experience authentication failure or loss of connectivity to some HTTPS servers. This issue occurs because this security update changes the way that records are sent to HTTPS servers. <br /><br />To temporarily disable or re-enable this security update, click the <strong>Fix it</strong> button or link under the <strong> Disable the security update</strong> or <strong>Re-enable the security update</strong> heading. Click <strong>Run</strong> in the<strong> File Download</strong> dialog box, and then follow the steps in the Fix it wizard. <br /><div><table><tr><th> Disable the security update </th><th> Re-enable the security update </th></tr><tr><td><span><div></div></span></td><td><span><div></div></span></td></tr></table></div><span>Notes</span><ul><li>These wizards may be in English only. However, the automatic fixes also work for other language versions of Windows. </li><li>If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or a CD, and then you can run it on the computer that has the problem. </li></ul>The following table shows the values that are applied by these Fix it solutions to the <span>SendExtraRecord</span> registry DWORD entry: <div><table><tr><th>Heading </th><th> Value applied to SendExtraRecord entry</th></tr><tr><td>Disable the security update </td><td> 2 </td></tr><tr><td>Re-enable the security update </td><td> 0 </td></tr></table></div><span>Note </span> The <span>SendExtraRecord</span> setting will be included in future releases of Windows. <h4>Known issues and additional information about this security update</h4>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed below each article link:<br /><ul><li><a href=“https://support.microsoft.com/en-us/help/2585542”>2585542 </a> MS12-006: Description of the security update for Webio, Winhttp, and schannel in Windows: January 10, 2012 </li><li><a href=“https://support.microsoft.com/en-us/help/2638806”>2638806 </a> MS12-006: Description of the security update for Winhttp in Windows Server 2003 and Windows XP Professional x64 Edition: January 10, 2012 </li></ul><h3>Registry information</h3><span>Not recommended </span> We do not recommend that you use the following procedure to disable this security update. However, we provide this procedure for scenarios in which you may be using applications that are incompatible with this security update, which enables split SSL records for all applications. <br /><br /><span><span>Important </span>This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:<br /><div><a href=“https://support.microsoft.com/en-us/help/322756”>322756 </a>How to back up and restore the registry in Windows </div></span><br /><br />By default, this security update sets the Opt-in mode at the schannel level, because of application compatibility issues. To disable this security update for all applications system-wide, you must add a DWORD value that’s named <span>SendExtraRecord</span> and that has a value of 2 to the following registry subkey: <div><strong>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL</strong></div>To add this schannel registry entry registry entry, follow these steps:<br /><ol><li>Click <strong>Start</strong>, click <strong>Run</strong>, type <span>regedit</span> in the <strong>Open</strong> box, and then click <strong>OK</strong>. </li><li>Locate and then click the following subkey in the registry:<br /><div><strong>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL<br /></strong></div></li><li>On the <strong>Edit</strong> menu, point to <strong>New</strong>, and then click <strong>DWORD Value</strong>. </li><li>Type <span>SendExtraRecord</span> for the name of the DWORD value, and then press Enter. </li><li>Right-click <span>SendExtraRecord</span>, and then click <strong>Modify</strong>. </li><li>In the <strong>Value data</strong> box, type <span>2</span> to disable the split record in schannel, and then click <strong>OK</strong>.</li><li>Exit Registry Editor. </li></ol>This registry entry can have three values, and each value provides different modes of operation: <div><table><tr><th>Reg-key Value </th><th>Description </th></tr><tr><td>0</td><td>By default, schannel is included in “Optin Mode.” This means that this security update will work for all the callers who send the Secure flag to schannel. The “SendExtraRecord” schannel registry entry will not be created by the security package. Therefore, no schannel registry entry means the system is running this mode. If someone creates this registry key and set the value to 0, schannel will again run in this mode. <br /><br />This setting has the same effect as not creating this registry entry at all. Applications that send a Secure flag to schannel during session initialization will only exercise the fixed secure code path. For other applications, there will be no change in schannel behavior. <br /><br />This security update also fixes the application layers that are involved in web browsing by using Internet Explorer to send the Secure flag, in order to help secure the browser usage scenarios. <br /><br /><span>Note</span> In Windows Server 2003, security update 2638806 must be installed to help secure HTTP client applications that use WinHTTP APIs. For more information, click the following article number to view the article in the Microsoft Knowledge Base: <div><a href=“https://support.microsoft.com/en-us/help/2638806”>2638806 </a> MS12-006: Description of the security update for Winhttp in Windows Server 2003 and Windows XP Professional x64 Edition: January 10, 2012 </div></td></tr><tr><td>1 </td><td>Setting the value to 1 means “enabled for all.” This means callers do not have to send the flag, and the schannel will split all SSL records. With this value set, applications do not have to take any change. A customer who is very concerned about system security can help make their system safer by enabling this registry key. </td></tr><tr><td> 2 </td><td>Setting the value to 2 means “disabled for all.” This means that the schannel will not split the records for any encryption call that the application makes. This mode does not honor the Secure flag that an application sends. </td></tr></table></div>Based on internal testing, we found that you cannot feasibly set the registry value to 1 because it can break too many scenarios in an enterprise. Therefore, we discourage users from using it.<br /><h3>Known issues with enabling the SendExtraRecord registry entry</h3><ul><li>Setting the SendExtraRecord registry value to 1 enforces record-splitting in every call to encrypt data in schannel. This occurs regardless of whether the caller sent the Secure flag during session initialization. </li><li>Many applications that use schannel are written so that the receiver side assumes application data will be packed into a single packet. This occurs even though the application calls schannel for decryption. The applications ignore a flag that is set by schannel. The flag indicates to the application that there is more data to be decrypted and picked up by the receiver. This method does not follow the MSDN-prescribed method of using schannel. Because the security update enforces record-splitting, this breaks such applications. </li><li>Broken applications include Microsoft products and in-box components. The following are examples of scenarios that may be broken when the SendExtraRecord registry value is set to 1:</li><li><ul><li>All SQL products, and applications that are built onto SQL. </li><li>Terminal Servers that have Network Level Authentication (NLA) turned on. By default, NLA is enabled in Windows Vista and later versions of Windows.</li><li>Some Routing Remote Access Service (RRAS) scenarios. </li></ul></li></ul>Setting the SendExtraRecord registry value to 1 enforces the secure record-splitting for all applications that use Windows TLS/SSL. However, this setting is likely to have application compatibility issues. Therefore, we recommend that customers configure TLS 1.1 and TLS 1.2 instead of using this registry setting. TLS 1.1 and TLS 1.2 are not vulnerable to this issue. <br /><br />If a user intends to use this registry setting, we recommend that they extensively test application compatibility testing before they implement it. Some common products that are known to be affected by this setting include Microsoft SQL products, Windows Terminal Server, and Windows Remote Access Server.<br /></div><h2>FAQ</h2><div><span>Q:</span> What can Microsoft do to help me fix my server-side application?<br /><span>A:</span> Make sure that your application can handle the Fragmentation of SSL/TLS application records, as described in the following RFCs:<br /><ul><li><a href=“http://www.ietf.org/rfc/rfc2246.txt” target=“_self”>TLS 1.0: http://www.ietf.org/rfc/rfc2246.txt paragraph 6.2.1</a></li><li><a href=“http://www.ietf.org/rfc/rfc6101.txt” target=“_self”>SSL 3.0: http://www.ietf.org/rfc/rfc6101.txt paragraph 5.2.1</a></li></ul></div></body></html>