Microsoft Fixes BEAST SSL Bug in January Patch Tuesday

Microsoft on Tuesday patched the vulnerability in Windows that was exploited by the BEAST SSL attack tool developed by Juliano Rizzo and Thai Duong last year. The patch is one of several rated important that was issued by Microsoft in January’s Patch Tuesday release, and there also was a critical bulletin released, fixing two separate vulnerabilities in Windows Media Player.

The vulnerability that is fixed by the patch in MS12-006 actually lies in the SSL 3.0/TLS 1.0 protocol. The attack that Rizzo and Duong developed and released in September enables them to decrypt users’ SSL sessions on the fly and hijack them, including sessions with online banking sites and other sensitive sites. The bug has been known for a long time, but it wasn’t until last year that a practical exploitation of it surfaced.

“This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected,” Microsoft said in its bulletin. “The security update addresses the vulnerability by modifying the way that the Windows Secure Channel (SChannel) component sends and receives encrypted network packets.”

The highest priority bulletin for the January release is MS12-004, which includes fixes for two vulnerabilities in Windows Media Player. One of the bugs in that bulletin is the only critical one fixed in January, and it’s a remote code execution flaw. It affects Windows XP, Vista, Server 2003 and Server 2008.

There’s also a vulnerability in the Windows kernel that has the effect of allowing attackers to bypass one of the exploit-mitigation technologies in Windows, SafeSEH. After bypassing that, an attacker could then use other bugs to compromise an affected machine.

“This issue can result in SafeSEH not being enforced for a binary that has been built with support for SafeSEH. This occurs when a binary that was built with Microsoft Visual C++ .NET 2003 RTM is loaded by an application running on a version of Windows that is affected by MS12-001,” Microsoft said in the bulletin.

“The reason that SafeSEH is not enforced in this scenario is because Microsoft Visual C++ .NET 2003 RTM produces binaries with metadata that is a different size than what the Windows loader expects. As a result, the loader conservatively falls back to assuming that the binary does not support SafeSEH. MS12-001 addresses this issue by allowing binaries to have metadata of the size that is produced by Microsoft Visual C++ .NET 2003 RTM.”