Updates available for the

Title:	Updates available for the
Date Issued:	June 6, 1998
Last Modified:	June 6, 1998
Code:	MS98-002
Source:	Microsoft
Microsoft Security Bulletin (MS98-002)

Updates available for the "The Error Message
Vulnerability" against secured Internet servers 

Last Revision: July 6, 1998 

Last week, RSA Data Security notified the Microsoft Product
Security Response Team of a vulnerability that affects properly
implemented versions of the SSL protocol. Daniel
Bleichenbacher, a researcher at Bell Labs, made this discovery.
Bell Labs is the research arm of Lucent Technologies. 

The purpose of this bulletin is to inform Microsoft customers of
this issue, its applicability to Microsoft products, and the
availability of countermeasures Microsoft has developed to
further secure its customers. No customers have currently
reported being impacted by this issue. Only customers who use
the SSL protocol in Microsoft's internet server products can be
affected by this vunerability. 

Please see RSA's announcement on this issue for additional
information. A more technical review of the Bleichenbacher's
discovery is available from RSA Labs, a division of RSA Data
Security (http://www.rsa.com/rsalabs), as well as from Bell
Labs (http://www.bell-labs.com) 

Description of Issue
By using complex mathematical analysis and some trial and
error, Bleichenbacher discovered that an Internet transaction
encrypted using SSL could be decoded. This is an issue that
requires updating Internet server software, not client software,
such as Internet Explorer. 

To use this discovered vulnerability as an attack, the attacker
must first be able to observe the encrypted transaction
between a web client and a web server. Once a recording of
this encrypted transaction is made, the attacker would then
need to send a large number carefully constructed messages to
the original web server and analyze the responses. After
approximately one million messages, the attacker would be able
to decode the information contained in the single encrypted
transaction they had earlier recorded. 

This would not give the attacker an advantage in decoding any
other transactions that had been made by the server, nor would
it necessarily give the attacker an advantage in decoding any
other transactions performed by the user. 

Due to the large number of messages needed, a web site
operator could detect an attack through observations such as
abnormal network or CPU utilization. 

Unlike some vulnerabilities that can be exploited more quickly by
dividing the workload between multiple attacking machines, this
attack cannot be divided among attackers to reduce the
amount of work or time required to complete the attack. This is
because the server is doing all the work, and is the gating
factor in the attacker being able to decode the transaction.
The faster an attacker tries to decode the information, the
more of a strain it would put on the server, and the more
detectable the attack would become. 

Applicability to Microsoft Software
The Microsoft Product Security Response Team has produced
an update that will work with the following Microsoft Internet
server software: 

     Microsoft Internet Information Server 3.0 and 4.0 
     Microsoft Site Server 3.0 Commerce Edition 
     Microsoft Site Server, Enterprise Edition 
     Microsoft Exchange 5.0 and 5.5 (for SSL-enabled POP3
     and SMTP) 

Microsoft's Internet server software provides SSL 2.0, SSL 3.0,
PCT 1.0, and TLS 1.0 for securing Internet-based
communications. These protocols are all implemented in a single
file called SCHANNEL.DLL, which is shared by the Microsoft
Internet server software listed above. Updating this single file
will resolve this vulnerability for these Microsoft server
products. 

No updates are required for Internet client software, such as
Internet Explorer. 

What customers should do
Only customers that use SSL on their internet servers need to
take action. This issue affects both 40-bit and 128-bit versions
of SSL (including SGC). Customers who use the server products
listed above, but do not use SSL are not affected and do not
need to take any action. 

Customers who use Microsoft internet client software are not
affected and do not need to take any action. 

Microsoft strongly recommends that customers using secure
SSL Internet services with any of the Microsoft products listed
above should update to the latest version of SCHANNEL.DLL.
More information on obtaining the latest version of
SCHANNEL.DLL can be found in Microsoft Knowledge Base article
Q148427, Updates in SChannel.DLL,
http://support.microsoft.com/support/kb/articles/q148/4/27.asp

In addition, the following practices can help to further improve
security for SSL-enabled Internet servers: 

     Change server-side certificates on a periodic basis: By
     changing the certificate on a server, an attacker will no
     longer be able to use this vulnerability to decode
     transactions that were encrypted with the previous
     private key.

     Use a certificate on only a single system: Sometimes in
     server farms (large clusters of servers) the same
     certificate is installed on multiple systems. This is not
     recommended for the most secure solutions. If multiple
     servers are configured with the same certificate, an
     attacker could use the processing strength of each server
     to try to break a single session, thus reducing the time
     required.

     Monitor normal trend performance and look for changes:
     Since this attack uses the processing power of the server
     against itself, regular monitoring of CPU utilization and
     network traffic could give warning of an attack. For
     example, watching for a large amount of network traffic
     from a single source might indicate an attack. 

Customers should review their deployments of products using
SSL from all vendors and determine if they have any vulnerable
implementations. 

Bulletin Revision Information 

     June 26, 1998: Bulletin Created 
     July 6, 1998: Updates to hyperlink information, and other
     minor updates 

For more information
There are a number of sources for more information on this
issue. 

     Microsoft Knowledge Base article Q148427, Updates in
     SChannel.DLL,
     http://support.microsoft.com/support/kb/articles/q148/4/27.asp
     RSA Labs advisory information,
     http://www.rsa.com/rsalabs/pkcs1/ 
     Bell Labs, http://www.bell-labs.com 
     CERT Advisory CA-98.07.PKCS,
     http://www.cert.org/advisories/CA-98.07.PKCS.html 

For additional information on security issues at Microsoft, please
visit www.microsoft.com/security 

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE
BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.
MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR
IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL
MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL
DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. 

                            
          © 1998 Microsoft and/or its suppliers. All rights reserved. 
    For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.