Otkriven je propust u radu operacijskog sustava Microsoft Windows. On omogućuje zlonamjernom korisniku otkrivanje osjetljivih podataka iz sigurne sjednice.

Secunia Advisory SA46168
Microsoft Windows SSL/TLS Information Disclosure Vulnerability
Release Date 	2011-09-27

Criticality level 	Not criticalNot critical
Impact 	Hijacking
Exposure of sensitive information
Where 	From remote
Authentication level 	Available in Customer Area
  	 
Report reliability 	Available in Customer Area
Solution Status 	Vendor Workaround
  	 
Systems affected 	Available in Customer Area
Approve distribution 	Available in Customer Area
  	 
Operating System	
	Microsoft Windows 7
	Microsoft Windows Server 2003 Datacenter Edition
	Microsoft Windows Server 2003 Enterprise Edition
	Microsoft Windows Server 2003 Standard Edition
	Microsoft Windows Server 2003 Web Edition
	Microsoft Windows Server 2008
	Microsoft Windows Storage Server 2003
	Microsoft Windows Vista
	Microsoft Windows XP Home Edition
	Microsoft Windows XP Professional

Secunia CVSS Score 	Available in Customer Area
CVE Reference(s) 	CVE-2011-3389 CVSS available in Customer Area
	   	

Description

A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to disclose potentially sensitive information and hijack a user's session.

The vulnerability is caused due to a design error in the Secure Sockets Layer 3.0 (SSL) and Transport Layer Security 1.0 (TLS) protocols when used with symmetric cipher suites in CBC mode (e.g. AES). This can be exploited to obtain certain information, which would allow the decryption of e.g HTTPS sessions via a Man-in-the-Middle (MitM) attack.

Solution
As a workaround enable TLS 1.1 or 1.2 (please see the vendor's advisory for details).

Provided and/or discovered by
Reported by the vendor.

Original Advisory
Microsoft (KB2588513):
http://technet.microsoft.com/en-us/security/advisory/2588513